SAML SSO Response

Last update:2022-06-09 12:17:17

Overview

In the SAML2.0-based SSO process, when an enterprise user logs in to IdP, IdP generates an authentication response that contains SAML statements and automatically forwards them to CDNetworks by browser.This SAML statement is used to check the user’s login status and to interpret the subject of the login.Therefore, the affirmation must contain elements required by CDNetwork, otherwise the SSO will fail because the login user will not be identified.

SAML response


<saml2p:Response
    <saml2:Issuer>${entityID}</saml2:Issuer>
    <ds:Signature>
     …
    </ds:Signature>
    <saml2p:Status>
     …
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>${entityID}</saml2:Issuer>
        <ds:Signature>
        …
        </ds:Signature>
        <saml2:Subject>
          <saml2:NameID>${NameID}</saml2:NameID>
          <saml2:SubjectConfirmation>
		…
          </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
          <saml2:AudienceRestriction>
          	<saml2:Audience>${Audience}</saml2:Audience>
          </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
         …
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
          <saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/LoginName" >
            …
          </saml2:Attribute>
		 <saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
            …
          </saml2:Attribute>
          …
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Element description in SAML assertion

  • Common elements of the SAML 2.0 protocol

element Description
Issuer The value of Issuer must match the entityID in the IdP metadata file uploaded in the identity provider entity created by CDNetworks .
Signature It is required that SAML assertions must be signed to ensure that there is no tampering, and Signature and its contained elements must contain information such as signature value and signature algorithm.
Subject
The subject must contain the following elements:

1) Only one NameID element exists.The value of the NameID, usually the ID of the SAML claim subject in IdP (which can be an IDP internal account name or ID), is not dependent on the value of the element to identify the login subject.

<saml2:Subject>

       <saml2:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>admin</saml2:NameID>

       <saml2:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>

                <saml2:SubjectConfirmationData

                    InResponseTo="_adafdaxfrpqkrf4cpnkfslpgxf76qeqmlwtag"

                    NotOnOrAfter=“2021-04-29T18:57:29.367Z” Recipient=“https://login.cdnetworks.com/cas/login?client_name=mockClient”/>

      </saml2:SubjectConfirmation>

</saml2:Subject>

Conditions The Condition element must contain an AudienceRestriction element, which can contain one or more Audience elements, but there must be one Audience element whose value is https://login.cdnetworks.com/cas .
The following is an example of the Conditions element:

<saml2:Conditions>

  <saml2:AudienceRestriction>

     <saml2:Audience>https://login.cdnetworks.com/cas</saml2:Audience>

  </saml2:AudienceRestriction>

</saml2:Conditions>

Description of elements in SAML section

  • Custom element requirements

In the AttributeStatement element of the SAML assertion, the following Attribute elements must be included:

  1. Name property value is: https://login.cdnetworks.com/SAML/Attributes/LoginName’s Attribute element, which is required and can have several (multiple uploads are supported on the interface, but are not supported on the program; only the first value will be taken).The AttributeValue element values it contains represent which IDP users are currently allowed access to. The values are in a combination of user descriptions and ID provider descriptions, separated by commas.
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/LoginName" >  
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName},wsc:iam::${parentLoginName}:saml-provider/${provider}</saml2:AttributeValue>        
     <saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName},wsc:iam::${parentLoginName}:saml-provider/${provider}</saml2:AttributeValue>  
</saml2:Attribute>

In this property, where:
• ${parentLoginName}: Replace with your main account for CDNetworks;
• ${loginName}: Replace with CDNetwo that your current IDP user wants to access CDNetworks user account;
• ${provider}: Replace with the name of the SAML authentication provider you created on the CDNetworks console.
2) Name property value is: https://login.cdnetworks.com/SAML/AttrAttribute element of RoleSessionName, which is required and can only have one.The AttributeValue element values that it contains are used to display in the console and in the action audit log as part of the login user informationIn. This field is customized by the user and is no longer than 32 characters long. Its format is:

<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
     <saml2:AttributeValue>${NameID}</saml2:AttributeValue>          
</saml2:Attribute>

The following is an example of a RoleSessionName Attribute element.

<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
     <saml2:AttributeValue>admin</saml2:AttributeValue>          
</saml2:Attribute>

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!