Show TOC
Start of Content Area

Background documentation Subject Confirmation Methods for SAML Token Profiles    Locate the document in its SAP Library structure

The SAML Token Profile authentication enables you  to confirm a subject in SAML with the sender-vouches subject confirmation method.

This method enables SSO for Web services by using a SAML assertion to forward authentication information acquired in an initial logon.

Sender-Vouches Subject Confirmation Method

You can use the sender-vouches confirmation method for SSO scenarios where the WS intermediary system has a trust relationship with the back-end system. This scenario defines four different entities: (1) a client, (2) an intermediary, (3)  SAML issuer, and (4) a back-end system that is the WS provider.

For an overview of the system interaction for this scenario, see the figure below:

This graphic is explained in the accompanying text

Sender-Vouches Subject Confirmation

The following steps describe in more detail the lifetime of a request using the SAML sender-vouches profile.

...

       1.      The client sends a request to the intermediary. This request can be of any kind but must contain valid authentication information to log the client on to the intermediary.

       2.      The intermediary authenticates the client. To process the request, the intermediary needs to retrieve information from the back-end system using Web Services forwarding mechanisms for the client’s authentication information.

       3.      To forward the client’s authentication, the intermediary needs to add a SAML assertion to the request. This assertion is provided by the issuer. To get it the intermediary needs to forward all necessary login information to the issuer, which in return creates the SAML assertion.

       4.      The assertion is added to the Web service request. To vouch for the integrity of the SAML assertion and the payload of the Web service request both are signed by the intermediary using a digital signature. The intermediary is able to vouch for the SAML assertion because there is an explicit trust relationship between the back-end system and the intermediary, which enables the back-end system to verify the digital signature.

       5.      The Web service request containing the SAML assertion is now sent to the back-end system.

       6.      The back-end system attempts to verify the SAML assertion. Other than checking the correctness of the SAML assertion, the back-end system also verifies that the issuer is trusted and there is an existing trust relationship between the intermediary and the back-end system. After successful verification, the client is logged on to the system and the request is processed.

       7.      The back-end system sends a response to the intermediary. The intermediary uses the received data to complete the client’s request and send a response to the client.

The following excerpt shows what a security header including a SAML assertion using the sender-vouches subject confirmation method looks like.

<wsse:Security>

   <saml:Assertion AssertionID="SAML_ID" Issuer="www.example.org" ...>

      <saml:Conditions NotBefore="..." NotOnOrAfter="..."/>

      <saml:AuthenticationStatement AuthenticationMethod="urn:...:password"

                                    AuthenticationInstant="2005-03-19T...Z"

         <saml:Subject>

            <saml:NameIdentifier>MUELLERTHOM2</saml:NameIdentifier>

            <saml:SubjectConfirmation>

               <saml:ConfirmationMethod>

                  urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

               </saml:ConfirmationMethod>

            </saml:SubjectConfirmation>

         </saml:Subject>

      </saml:AuthenticationStatement>

   </saml:Assertion>

   <wsse:SecurityTokenReference wsu:Id="STR1" ...> ... </wsse:SecurityToken..>

   <wsse:BinarySecurityToken ...> ... </wsse:BinarySecurityToken>

   <ds:Signature>

      <ds:SignedInfo>

         <ds:Reference URI="#STR1"> ... </ds:Reference>

         <ds:Reference URI="#body"> ... </ds:Reference>

         ...

      </ds:SignedInfo>

   </ds:Signature>

</wsse:Security>

 

 

 

 

End of Content Area