SAML 1.1 Ticket Validation Response

Successful SAML 1.1 Ticket Validation Response, (formatted for legibility)[1]:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<saml1p:Response 
  InResponseTo="_e08bf0037e0cfe7afe1a458fd987f088" 
  IssueInstant="2020-07-21T18:31:52.932Z" 
  MajorVersion="1" MinorVersion="1" 
  ResponseID="_55ed3c296e8568dbd8311f297aec9716" 
  xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
<saml1p:Status>
  <saml1p:StatusCode Value="saml1p:Success"/> [2]
</saml1p:Status>
<saml1:Assertion 
  AssertionID="_c875507ce81243ca27a7231d216f3d69" 
  IssueInstant="2020-07-21T18:31:52.932Z" 
  Issuer="localhost" MajorVersion="1" MinorVersion="1" 
  xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions 
  NotBefore="2020-07-21T18:31:52.932Z" 
  NotOnOrAfter="2020-07-21T18:32:22.932Z">
  <saml1:AudienceRestrictionCondition>
    <saml1:Audience>https://casdev.cc.columbia.edu/cas-duo-enroll/duoAuth</saml1:Audience> [3]
  </saml1:AudienceRestrictionCondition>
</saml1:Conditions>
<saml1:AuthenticationStatement 
  AuthenticationInstant="2020-07-21T18:31:57.761Z"
  AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml1:Subject>
    <saml1:NameIdentifier>de3</saml1:NameIdentifier>
    <saml1:SubjectConfirmation>
      <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
    </saml1:SubjectConfirmation>
  </saml1:Subject>
</saml1:AuthenticationStatement>
<saml1:AttributeStatement>
  <saml1:Subject>
  <saml1:NameIdentifier>de3</saml1:NameIdentifier>
    <saml1:SubjectConfirmation>
      <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
    </saml1:SubjectConfirmation>
  </saml1:Subject>
  <saml1:Attribute 
    AttributeName="lastName" [4]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>Ellentuck</saml1:AttributeValue>
  </saml1:Attribute>
  <saml1:Attribute
    AttributeName="givenName" [5]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>Daniel</saml1:AttributeValue>
  </saml1:Attribute>
  <saml1:Attribute 
    AttributeName="mail" [6]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>[email protected]</saml1:AttributeValue>
  </saml1:Attribute>
  <saml1:Attribute 
    AttributeName="lastPasswordChangeDate" [7]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>Mon Dec 30 15:32:53 EST 2019</saml1:AttributeValue>
  </saml1:Attribute>
[...other Attributes...]
  <saml1:Attribute 
    AttributeName="affiliation" [8]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>WIKI_iam</saml1:AttributeValue>
    <saml1:AttributeValue>PAC1administratorFT</saml1:AttributeValue>
    <saml1:AttributeValue>CUadministrator</saml1:AttributeValue>
    <saml1:AttributeValue>CU_IT</saml1:AttributeValue>
    <saml1:AttributeValue>MFA_all</saml1:AttributeValue>
    <saml1:AttributeValue>OFFICER</saml1:AttributeValue>
    <saml1:AttributeValue>PAC</saml1:AttributeValue>
    <saml1:AttributeValue>CUNIX_staff</saml1:AttributeValue>
    <saml1:AttributeValue>CUstaff</saml1:AttributeValue>
    [...other affiliation values...]
  </saml1:Attribute>
  <saml1:Attribute 
    AttributeName="authenticationMethod" 
    AttributeNamespace="http://www.ja-sig.org/products/cas">
    <saml1:AttributeValue>JaasAuthenticationHandler</saml1:AttributeValue>
    <saml1:AttributeValue>mfa-duo</saml1:AttributeValue>
  </saml1:Attribute>
  <saml1:Attribute 
    AttributeName="eduPersonPrincipalName" [9]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>[email protected]</saml1:AttributeValue>
  </saml1:Attribute>
  <saml1:Attribute 
    AttributeName="username" [10]
    AttributeNamespace="http://www.ja-sig.org/products/cas/">
    <saml1:AttributeValue>de3</saml1:AttributeValue>
  </saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
</saml1p:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

Unsuccessful Saml 1.1 Unsuccessful Ticket Validation Response (formatted for legibility)[1]:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<saml1p:Response 
  InResponseTo="_d9ef47bc70b2a83638cfc5aa0ae451ee" 
  IssueInstant="2020-07-21T21:59:37.309Z" 
  MajorVersion="1" MinorVersion="1" 
  ResponseID="_4f9626c601933d7ebcbc6b215d270619" 
  xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
  <saml1p:Status>
    <saml1p:StatusCode Value="saml1p:RequestDenied"/> [11]
    <saml1p:StatusMessage>Ticket 'ST-AAEyVgrq7oBwEiYC2in10FZAf7iGGhRz+GH0uI0rf43ltpDVKNmum52p' not recognized</saml1p:StatusMessage>
  </saml1p:Status>
</saml1p:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

 

Notes:

  1. Available via SAML 1.1 Browser/Artifact Profile, as described here
    POST
    https://[cas-hostname]/cas/samlValidate?TARGET=[service-provider-target]&SAMLArt=[ticket]
    SAML SOAP request with the service ticket as the SAMLArt parameter and service URL as the TARGET.
  2. Confirms successful authentication:
    <Status>
      <StatusCode Value="samlp:Success"></StatusCode>
    </Status>
  3. Identifies the service (your application):
      <saml1:Audience>https://casdev.cc.columbia.edu/cas-duo-enroll/duoAuth</saml1:Audience>
    
  4. User last name is available in an attribute called "lastName":
      <saml1:Attribute
        AttributeName="lastName"
        AttributeNamespace="http://www.ja-sig.org/products/cas/">
        <saml1:AttributeValue>Ellentuck</saml1:AttributeValue>
      </saml1:Attribute>
    
  5. User first name is available in an attribute called "givenName":
      <saml1:Attribute
        AttributeName="givenName"
        AttributeNamespace="http://www.ja-sig.org/products/cas/">
        <saml1:AttributeValue>Daniel</saml1:AttributeValue>
       </saml1:Attribute>
  6. User email address is available in an attribute called "mail":
      <saml1:Attribute
        AttributeName="mail"
        AttributeNamespace="http://www.ja-sig.org/products/cas/">
          <saml1:AttributeValue>[email protected]</saml1:AttributeValue>
       </saml1:Attribute> 
  7. Date of last password change is available in an attribute called "lastPasswordChangeDate":
    <Attribute 
      AttributeName="lastPasswordChangeDate" 
      AttributeNamespace="http://www.ja-sig.org/products/cas/">
      <AttributeValue>Fri Jun 29 16:06:39 EDT 2012</AttributeValue>
    </Attribute>
  8. LDAP affiliations are available in a multi-valued attribute called "affiliation". The order is arbitrary:
      <saml1:Attribute
        AttributeName="affiliation"
        AttributeNamespace="http://www.ja-sig.org/products/cas/">
          <saml1:AttributeValue>WIKI_iam</saml1:AttributeValue>
          <saml1:AttributeValue>PAC1administratorFT</saml1:AttributeValue>
          <saml1:AttributeValue>CUadministrator</saml1:AttributeValue>
          <saml1:AttributeValue>CU_IT</saml1:AttributeValue>
          <saml1:AttributeValue>MFA_all</saml1:AttributeValue>
          <saml1:AttributeValue>OFFICER</saml1:AttributeValue>
          <saml1:AttributeValue>PAC</saml1:AttributeValue>
          <saml1:AttributeValue>CUNIX_staff</saml1:AttributeValue>
          <saml1:AttributeValue>CUstaff</saml1:AttributeValue>
          [...other affiliation values...]
       </saml1:Attribute>
  9. The eduPersonPrincipalName is [email protected]. Although in the form of an email address, it cannot be changed or aliased like a true email address. It is available as an attribute called eduPersonPrincipalName:
        <saml1:Attribute
          AttributeName="eduPersonPrincipalName"
          AttributeNamespace="http://www.ja-sig.org/products/cas/">
          <saml1:AttributeValue>[email protected]</saml1:AttributeValue>
        </saml1:Attribute>
    
  10. The username (UNI) is available in an attribute called "username":
      <saml1:Attribute
        AttributeName="username"
        AttributeNamespace="http://www.ja-sig.org/products/cas/">
        <saml1:AttributeValue>de3</saml1:AttributeValue>
      </saml1:Attribute>
  11. Means authentication could not be confirmed:
     <saml1p:StatusCode Value="saml1p:RequestDenied"/>