Prerequisites - SAML assertion to be sent to Planon
The Identity Broker Solution requires a SAML response that contains the following two components:
A NameID (including a mandatory format description).
A separate SAML attribute that contains the identifier to map to Planon. (so not the NameID itself!)
In the example below, these mandatory components appear in bold.
The following excerpt is an anonymized sample of a SAML post to Planon:
<samlp:Response ID="_0216c6ce-7f8c-4e22-b6ca-d4cb9c6fc431"
InResponseTo="ID_dbe02f23-e90a-4b04-a8ab-8af19632c7b5" Version="2.0"
IssueInstant="2015-09-01T20:55:33.525Z"
Destination="https://xx-yyy.planoncloud.com/"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:xyz:saml:idp</s
aml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<Reference URI="#_0216c6ce-7f8c-4e22-b6ca-d4cb9c6fc431">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod
xmlns="http://www.w3.org/Algorithm="http://www.w3.org/2000/09/xmldsig#sh
a1" />
<DigestValue>WrxQ8DfeSzygwXgKFbLLuK/iPvI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>….</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>…</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0" ID="_e6db33a1-0724-4474-bdde-a9628e8223e0"
IssueInstant="2015-09-01T20:55:33.525Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>urn:xyz:saml:idp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<Reference URI="#_e6db33a1-0724-4474-bdde-a9628e8223e0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml ds xs xsi"
org/2001/10/xml-exc-c14n#"/>
</Transform>
</Transforms>
<DigestMethod
xmlns="http://www.w3.Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<DigestValue>Y1ksPiFQl6Mzh0nJrMNO2OMDtEI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>…</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:
persistent">username</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2015-09- 01T20:58:33.541Z"
Recipient="https://xx-yyy.planoncloud.com/"
InResponseTo="ID_dbe02f23-e90a-4b04-a8ab-8af19632c7b5" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-09-01T20:52:33.525Z"
NotOnOrAfter="2015-09-01T20:58:33.525Z">
<saml:AudienceRestriction>
<saml:Audience>https://xxyyy.
planoncloud.com/auth/realms/environment-test</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-09-01T20:55:33.541Z"
SessionIndex="_e6db33a1-0724-4474-bdde-a9628e8223e0">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
rd</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue
xsi:type="xs:string"xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance">USERNAME@email.com</saml:At
tributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
For more information on how to check a SAML assertion, please see
SSO troubleshooting.