O SAML (Security Assertion Markup Language) é um padrão baseado em XML para a autenticação e autorização de informações entre dois parceiros confiáveis. Ele é baseado em outros padrões:
Identity Provider (IDP) / Asserting Party
O Identity suporta o Single Sign On baseado no SAML 2.0. Eles suportam os SSO SP-initiated e IDP-initiated.
Recebe a resposta SAML.
Verifica a assinatura.
Valida a resposta SAML.
Verifica o status da resposta, se foi uma autenticação válida ou não. Se o status for uma falha, ignora a assertion.
Valida o emissor. Isto exige que o IDP seja registrado com o SP.
Se criptografado, descriptografa a assertion.
Valida que a resposta possui uma assertion, declarações de autenticação e declarações de atributos.
Certifica-se que a assertion é valida na instância dada e é intencionada para o SP.
Determina a autorização dos usuários baseado nas declarações de autenticação e atributos na assertion.
Se autorizado, redireciona o usuário para o recurso requisitado/protegido.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://www.google.com/a/domain.com/acs"
ID="cknmoleiackllcefehnhjinlfiaajgggmeaffkfa"
IsPassive="false"
IssueInstant="2012-10-18T23:40:09Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://www.google.com/a/totvs.com.br/acs"
ID="_7ab62e86a88d4142f5b3193252f9d6e8"
InResponseTo="bedkdjdmfpeeakbhcmaacedeidmhecidlpkhigbh"
IssueInstant="2022-07-21T11:50:45.795Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TotvsLabs
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_7ab62e86a88d4142f5b3193252f9d6e8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>9+6FhzqbZL7vkh8OdkT1OrVhKD0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HgV4uqJcqsgbWsHPou6K9x43LxHUU7Fh3Ey0DTEAnc5ZiEPfFVtRMwLXAp6AcZwf+VJCS+kLLy2qaj/inBUn0+sOYUvL7Kz7yCDnwmGlxr2nR47LghVUi0pf9Y+ntd9CF5A38DfJ0bT9TnlnR2imsDnhfS+fPd5581MMD3kzxB4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBjCCAW8CBgFkKLewqzANBgkqhkiG9w0AAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp bWFyeSBDZXJ0aWZpY2F0ZTESMBAGA1UEChMJVG90dnNMYWJzMQswCQYDVQQGEwJVUzAeFw0xODA2 MjIxODE4MDRaFw0yODA2MjIxODE4MDRaMEkxJjAkBgNVBAsTHVRvdHZzTGFicyBQcmltYXJ5IENl cnRpZmljYXRlMRIwEAYDVQQKEwlUb3R2c0xhYnMxCzAJBgNVBAYTAlVTMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCSTmcVLlj7K58TlSqCG6m51mSQlH0hPN5z0T2iMs/d30f8udnm75nla2OJ ktdDu8Jm8/XcCFoMfyKnkZojZgRPaFOqWjhh9/nYCcm8wGGFko3WYqrzmKzVtiJZ1+PfQdd5yXCe ao8Gevt46Ssfh7mLWSU4c+DcB5wWr9jM4ejVeQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGxtZ6kP p+KRw0kpoqmRfY5B8ze7EmRMKvPtuJgtc4S912UWcXpTDPA+lLfOBB8E59U4KOV/1BLb2I3dH9D4
HybsurH96bJo44NJrApyQA+XNcLy/ax+PXB5405q2+bwemtuCvYkfdhAZrK334vNcVirJ5N5rPBb P4cm2mfCu/UK
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_51c17234853d6d6df950b4f3e5f9095f"
IssueInstant="2022-07-21T11:50:45.795Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TotvsLabs</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_51c17234853d6d6df950b4f3e5f9095f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZcXfbLyk/2FGOXZdABQt8QfBGdU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>QO5XUdUJGbsGlAJ17oxFFv4NrtVT4G9Nay4jVEbi3x47oySLA+52plIe51rOBVCuUVR6IvDWBXrPgDb9szEveCcy8X8oX1EXpXTBpqdP6KQ4Oqz1bBY873+3XX51iYttXxtP3fapCzK/8uzI/JXJ+DqSUc76JrkT+SpeR+aogt4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBjCCAW8CBgFkKLewqzANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp bWFyeSBDZXJ0aWZpY2F0ZTESMBAGA1UEChMJVG90dnNMYWJzMQswCQYDVQQGEwJVUzAeFw0xODA2 MjIxODE4MDRaFw0yODA2MjIxODE4MDRaMEkxJjAkBgNVBAsTHVRvdHZzTGFicyBQcmltYXJ5IENl cnRpZmljYXRlMRIwEAYDVQQKEwlUb3R2c0xhYnMxCzAJBgNVBAYTAlVTMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCSTmcVLlj7K58TlSqCG6m51mSQlH0hPN5z0T2iMs/d30f8udnm75nla2AJ ktdDu8Jm8/XcCFoMfyKnkZojZgRPaFOqWjhh9/nYCcm8wGGFko3WYqrzmKzVtiJZ1+PfQdd5yXCe ao8Gevt46Ssfh7mLWSU4c+DcB5wWr9jM4ejVeQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGxtZ6kP p+KRw0kpoqmRfY5B8ze7EmRMKvPtuJgtc4S912UWcXpTDPA+lLfOBB8E59U4KOV/1BLb2I3dH9D4
HybsurH96bJo44NJrApyQA+XNcLy/ax+PXB5405q2+bwemtuCvYkfdhAZrK334vNcVirJ5N5rPBb P4cm2mfCu/UK
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="bedkdjdmfpeeakbhcmaacedeidmhecidlpkhigbh"
NotOnOrAfter="2022-07-21T12:00:45.795Z"
Recipient="https://www.google.com/a/totvs.com.br/acs" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-07-21T11:50:45.795Z"
NotOnOrAfter="2022-07-21T12:00:45.795Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://www.google.com/a/totvs.com.br/acs</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-07-21T11:50:45.771Z"
SessionIndex="_51c17234853d6d6df950b4f3e5f9095f">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="companyId"
Name="companyId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">ft0y84vo717g8hjx
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="firstname"
Name="firstname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Name
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="entitlementsChanged"
Name="entitlementsChanged"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">false
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="appsChanged"
Name="appsChanged"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">false
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="userId"
Name="userId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">ywam6h95jgk32fiq1407765456714
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"
Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">[email protected]
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="lastname"
Name="lastname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Silva
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>