SAML 1.1 Ticket Validation Response
Successful SAML 1.1 Ticket Validation Response, (formatted for legibility)[1]:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <saml1p:Response InResponseTo="_e08bf0037e0cfe7afe1a458fd987f088" IssueInstant="2020-07-21T18:31:52.932Z" MajorVersion="1" MinorVersion="1" ResponseID="_55ed3c296e8568dbd8311f297aec9716" xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"> <saml1p:Status> <saml1p:StatusCode Value="saml1p:Success"/> [2] </saml1p:Status> <saml1:Assertion AssertionID="_c875507ce81243ca27a7231d216f3d69" IssueInstant="2020-07-21T18:31:52.932Z" Issuer="localhost" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> <saml1:Conditions NotBefore="2020-07-21T18:31:52.932Z" NotOnOrAfter="2020-07-21T18:32:22.932Z"> <saml1:AudienceRestrictionCondition> <saml1:Audience>https://casdev.cc.columbia.edu/cas-duo-enroll/duoAuth</saml1:Audience> [3] </saml1:AudienceRestrictionCondition> </saml1:Conditions> <saml1:AuthenticationStatement AuthenticationInstant="2020-07-21T18:31:57.761Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml1:Subject> <saml1:NameIdentifier>de3</saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod> </saml1:SubjectConfirmation> </saml1:Subject> </saml1:AuthenticationStatement> <saml1:AttributeStatement> <saml1:Subject> <saml1:NameIdentifier>de3</saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod> </saml1:SubjectConfirmation> </saml1:Subject> <saml1:Attribute AttributeName="lastName" [4] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>Ellentuck</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="givenName" [5] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>Daniel</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="mail" [6] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>[email protected]</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="lastPasswordChangeDate" [7] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>Mon Dec 30 15:32:53 EST 2019</saml1:AttributeValue> </saml1:Attribute> [...other Attributes...] <saml1:Attribute AttributeName="affiliation" [8] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>WIKI_iam</saml1:AttributeValue> <saml1:AttributeValue>PAC1administratorFT</saml1:AttributeValue> <saml1:AttributeValue>CUadministrator</saml1:AttributeValue> <saml1:AttributeValue>CU_IT</saml1:AttributeValue> <saml1:AttributeValue>MFA_all</saml1:AttributeValue> <saml1:AttributeValue>OFFICER</saml1:AttributeValue> <saml1:AttributeValue>PAC</saml1:AttributeValue> <saml1:AttributeValue>CUNIX_staff</saml1:AttributeValue> <saml1:AttributeValue>CUstaff</saml1:AttributeValue> [...other affiliation values...] </saml1:Attribute> <saml1:Attribute AttributeName="authenticationMethod" AttributeNamespace="http://www.ja-sig.org/products/cas"> <saml1:AttributeValue>JaasAuthenticationHandler</saml1:AttributeValue> <saml1:AttributeValue>mfa-duo</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="eduPersonPrincipalName" [9] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>[email protected]</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="username" [10] AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>de3</saml1:AttributeValue> </saml1:Attribute> </saml1:AttributeStatement> </saml1:Assertion> </saml1p:Response> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Unsuccessful Saml 1.1 Unsuccessful Ticket Validation Response (formatted for legibility)[1]:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <saml1p:Response InResponseTo="_d9ef47bc70b2a83638cfc5aa0ae451ee" IssueInstant="2020-07-21T21:59:37.309Z" MajorVersion="1" MinorVersion="1" ResponseID="_4f9626c601933d7ebcbc6b215d270619" xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"> <saml1p:Status> <saml1p:StatusCode Value="saml1p:RequestDenied"/> [11] <saml1p:StatusMessage>Ticket 'ST-AAEyVgrq7oBwEiYC2in10FZAf7iGGhRz+GH0uI0rf43ltpDVKNmum52p' not recognized</saml1p:StatusMessage> </saml1p:Status> </saml1p:Response> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Notes:
- Available via SAML 1.1 Browser/Artifact Profile, as described here
POST https://[cas-hostname]/cas/samlValidate?TARGET=[service-provider-target]&SAMLArt=[ticket] SAML SOAP request with the service ticket as the SAMLArt parameter and service URL as the TARGET.
- Confirms successful authentication:
<Status> <StatusCode Value="samlp:Success"></StatusCode> </Status>
- Identifies the service (your application):
<saml1:Audience>https://casdev.cc.columbia.edu/cas-duo-enroll/duoAuth</saml1:Audience>
- User last name is available in an attribute called "lastName":
<saml1:Attribute AttributeName="lastName" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>Ellentuck</saml1:AttributeValue> </saml1:Attribute>
- User first name is available in an attribute called "givenName":
<saml1:Attribute AttributeName="givenName" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>Daniel</saml1:AttributeValue> </saml1:Attribute>
- User email address is available in an attribute called "mail":
<saml1:Attribute AttributeName="mail" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>[email protected]</saml1:AttributeValue> </saml1:Attribute>
- Date of last password change is available in an attribute called "lastPasswordChangeDate":
<Attribute AttributeName="lastPasswordChangeDate" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <AttributeValue>Fri Jun 29 16:06:39 EDT 2012</AttributeValue> </Attribute>
- LDAP affiliations are available in a multi-valued attribute called "affiliation". The order is arbitrary:
<saml1:Attribute AttributeName="affiliation" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>WIKI_iam</saml1:AttributeValue> <saml1:AttributeValue>PAC1administratorFT</saml1:AttributeValue> <saml1:AttributeValue>CUadministrator</saml1:AttributeValue> <saml1:AttributeValue>CU_IT</saml1:AttributeValue> <saml1:AttributeValue>MFA_all</saml1:AttributeValue> <saml1:AttributeValue>OFFICER</saml1:AttributeValue> <saml1:AttributeValue>PAC</saml1:AttributeValue> <saml1:AttributeValue>CUNIX_staff</saml1:AttributeValue> <saml1:AttributeValue>CUstaff</saml1:AttributeValue> [...other affiliation values...] </saml1:Attribute>
- The eduPersonPrincipalName is [email protected]. Although in the form of an email address, it cannot be changed or aliased like a true email address. It is available as an attribute called eduPersonPrincipalName:
<saml1:Attribute AttributeName="eduPersonPrincipalName" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>[email protected]</saml1:AttributeValue> </saml1:Attribute>
- The username (UNI) is available in an attribute called "username":
<saml1:Attribute AttributeName="username" AttributeNamespace="http://www.ja-sig.org/products/cas/"> <saml1:AttributeValue>de3</saml1:AttributeValue> </saml1:Attribute>
- Means authentication could not be confirmed:
<saml1p:StatusCode Value="saml1p:RequestDenied"/>