SAML2 Push

Follow

To initiate the SAML2 idP push mechanism on TrustBuilder, IDHub expects the RelayState of the incoming assertion in a specific format. Here we show an example URL where we start idP push from the TB SAML2 component saml2-idp.

https://domain/idhub/tb/saml2-idp/initial?partner=https://idhub &target=Pzez97xr9gpHQpj%2Fx6l8Me7ASfnRXffqA%2B1ZWHR0AfyuEeLKQnkaMxuDZ7swIZrT0ysZWJ9Sw8LfBd1TPiNn1cET1ugN4MEmTj%2BMLl%2Fx2vwZlDcfTS6LafRWELlGuVo17wJBgsHr%2FGWYUz0E7a968%2BQngBCCmRD22vkXfIYqg1iWNxSn4FJPVo2CEyYmy%2F8wdWMot5JTBUT1rMOQAJ%2FeCziu8SpsVgku3YIAJ4VE69Gvawo1%2FOVVRmoyHhmwdz8fs1BoiK4EQn7L223KQIomCKmqwQw%2BC2%2BSw37Nau8MueLikWHl8YBUzYLd%2B...

The partner parameter contains the partner where the saml2-idp component will POST the assertion to, in this case the IDHub. The target parameter is the interesting part. This is encrypted information that is send in the RelayState parameter to IDHub.
This is how we generate the target parameter in a javascript TB workflow:

var json = {"partnercode":"35c68a4f-e263-4c36-8180-dae7c2c1f940","target":"https://relaystate","auth_methodid":"4","auth_comparison":"exact"}; 
snc = encodeURIComponent(encService.encrypt("RSA/ECB/PKCS1Padding","idhub",JSON.stringify(json),"base64"));

partnercode: the IDHub partnercode from the final SP where we want to push to.
target: the RelayState we want to send to the final SP.
auth_methodid: the id of the authentication method we are logged in with.
auth_comparison: how to compare in IDHub.

"idhub" is the name of the idhub-encryption certificate which is stored in your configuration truststore.

It uses the encryption service to perform the encryption:

 

Encryption of the target parameter happens with the idhub-encryption public certificate.
IDHub recognizes these type of RelayStates and can decrypt them. It uses the decrypted information to generate an assertion for the correct final SP partner.

 

 

Have more questions? Submit a request

Comments