A new section or tag is added in metadata AttributeConsumingService of Access Manager.
The following is the example for OIOSAML 3 Identity Provider’s metadata:
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idJd_wMSdU-dWNczQ5TfqvlifNttM" entityID="https://slesnode1.kcdad1.com:8443/nidp/saml2/metadata"> <md:IDPSSODescriptor ID="idjUZHtd27BccDClCkXcbqBO96ULI" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> *** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> *** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/soap" index="0" isDefault="true" /> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/slo" ResponseLocation="https://slesnode1.kcdad1.com:8443/nidp/saml2/slo_return" /> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/slo" ResponseLocation="https://slesnode1.kcdad1.com:8443/nidp/saml2/slo_return" /> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/soap" /> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/rni" ResponseLocation="https://slesnode1.kcdad1.com:8443/nidp/saml2/rni_return" /> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/rni" ResponseLocation="https://slesnode1.kcdad1.com:8443/nidp/saml2/rni_return" /> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/soap" /> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/sso" /> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/sso" /> <md:NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode1.kcdad1.com:8443/nidp/saml2/soap" /> <md:AttributeConsumingService index="0" isDefault="true"> <md:ServiceName xml:lang="en">https://slesnode3.kcdad3.com:8443</md:ServiceName> <md:RequestedAttribute Name="https://data.gov.dk/model/core/specVersion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/ial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/aal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/fullName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/cprNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/cprUuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/cvr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/orgName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> </md:AttributeConsumingService> </md:IDPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en">slesnode1.kcdad.com</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">slesnode1.kcdad.com</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://slesnode1.kcdad.com:8443/nidp</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="other"> <md:Company>Micro Focus IDp cluster 2</md:Company> <md:GivenName>NAMTeam</md:GivenName> <md:SurName>AccessManager</md:SurName> <md:EmailAddress>domain@example.com</md:EmailAddress> <md:TelephoneNumber>+919800000000</md:TelephoneNumber> </md:ContactPerson> </md:EntityDescriptor>
The following is the example of OIOSAML 3 Service Provider’s metadata
<?xml version="1.0" encoding="UTF-8" ?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idsWpPnVd3lrTb9RG-7Spb66WcBDg" entityID="https://slesnode3.kcdad3.com:8443/nidp/saml2/metadata"> <md:SPSSODescriptor ID="id20GZPB3L0tS7SR4Z8GxMjOoDJZQ" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> *** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> *** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spsoap" index="0" isDefault="true"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spslo" ResponseLocation="https://slesnode3.kcdad3.com:8443/nidp/saml2/spslo_return"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spslo" ResponseLocation="https://slesnode3.kcdad3.com:8443/nidp/saml2/spslo_return"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spsoap"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/sprni" ResponseLocation="https://slesnode3.kcdad3.com:8443/nidp/saml2/sprni_return"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/sprni" ResponseLocation="https://slesnode3.kcdad3.com:8443/nidp/saml2/sprni_return"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spsoap"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://slesnode3.kcdad3.com:8443/nidp/saml2/spassertion_consumer" index="0" isDefault="true"/> <md:AttributeConsumingService index="0" isDefault="true"> <md:ServiceName xml:lang="en">https://slesnode3.kcdad3.com:8443</md:ServiceName> <md:RequestedAttribute Name="https://data.gov.dk/model/core/specVersion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/ial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/aal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/fullName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/cprNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/cprUuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/cvr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/orgName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> </md:AttributeConsumingService> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en">slesnode3.kcdad3.com</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">slesnode3.kcdad3.com</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://slesnode3.kcdad3.com:8443/nidp</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="other"> <md:Company>Micro Focus IDp cluster 2</md:Company> <md:GivenName>NAMTeam</md:GivenName> <md:SurName>AccessManager</md:SurName> <md:EmailAddress>domain@example.com</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>
Request
Following is the example of authentication request from a OIOSAML 3-compliant trusted provider (For example, Nemlogin) to Access Manager Identity Provider:
<AuthnRequest ID="_bd71a98e-37fe-9a8c-bf3e-d20e39337d5b"
Version="2.0"
IssueInstant="2023-02-15T09:34:54.8455204Z"
Destination="https://slesnode1.kcdad1.com:8443/nidp/saml2/sso"
IsPassive="false"
ForceAuthn="false"
AssertionConsumerServiceURL="https://devtest4-nemlog-in.dk/localidp/saml/1.0/"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>https://saml.devtest4-nemlog-in.dk</Issuer>
<Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AudienceRestriction>
<Audience>https://saml.devtest4-nemlog-in.dk</Audience>
</AudienceRestriction>
</Conditions>
<RequestedAuthnContext comparison="minimum">
<AuthnContextClassRef xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://data.gov.dk/concept/core/nsis/loa/Substantial</AuthnContextClassRef>
<AuthnContextClassRef xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://data.gov.dk/eid/Professional</AuthnContextClassRef>
</RequestedAuthnContext>
<Scoping>
<RequesterID>https://saml.services.devtest4-nemlog-in.dk</RequesterID>
</Scoping>
</AuthnRequest>
Response
Following is the example of authentication response from Access Manager Identity Provider to OIOSAML 3-compliant trusted provider:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained"
Destination="https://devtest4-nemlog-in.dk/localidp/saml/1.0/"
ID="idL4NswVTVNPY69m7ld5Kf6744y0Q"
InResponseTo="_bd71a98e-37fe-9a8c-bf3e-d20e39337d5b"
IssueInstant="2023-02-15T09:35:06Z"
Version="2.0"
>
<saml:Issuer>https://slesnode1.kcdad1.com:8443/nidp/saml2/metadata</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#idL4NswVTVNPY69m7ld5Kf6744y0Q">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>9op0qndP22y6OTkYB5QKqvcep0OU6p0raobXlDF9jXc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RXHrgFsZOuFTYxiBwws6moKmCqqseM1w79h9dnS4FkgV4cF/9mHm9LnuWMPmHq/eHyNSOj7YLXW5
4ewsKbxZjr769DkQ+vB3f91nr35IEG/pHMURgW9Z2DqKvbO2z5ApWuClHO4HXq7RykgVDXKubQvY
h2/t6zVIbBAaZuyNvh2LZjK7fptEwvAxsqL7ny/vTnN+o13lL3DsJKT+4E4sOpDUCfSM94lJqwfq
Hd2mKyYn095mKhp9Em2zy1YLQrbyJcS+jdqXnWLK7OKc7xNIRxAtSf7y3lLpw9LGxcGrEGKFMf+9
Wu6UN5j4SfWoaIR9GE5zbHuYXSUZ1CGd5HOzPpAA6ARqY007sSetimKb/mF1AVLy8vaF5G6na89S
UczqcZn3DgM2mZEixOQp3iyjw50rIGlZC51EUxwhH84zxe5mhYQiAnkq6/1oBjav6OERoURVE/2W
UwLUV0nKsWPPd9PqQpT0XxO5Aghn/puenpoGUiOqNXbqCb79nQyLa9K4
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
***
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:EncryptedAssertion>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
/>
<xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"
/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TRUST2408 Systemtest XXXIV CA, O=TRUST2408, C=DK</ds:X509IssuerName>
<ds:X509SerialNumber>1604723226</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>***
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>***
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>