Proxy MVPD SAML Integration
Overview overview-proxy-mvpd-saml-int
This document describes the SAML Authentication flow for Proxy integrations. These flows are dependent on Proxy config data being present in the Adobe Pass Authentication server configuration. The Proxy MVPD pushes its Proxy config data to the Adobe Pass Authentication server via the Adobe Pass Authentication Proxy Web Service.
Proxy Configuration Data proxy-config-data
Each MVPD Proxy provides Proxy configuration data for their Proxied MVPDs to the Adobe Pass Authentication Proxy Web Service. Details for that are covered in the Proxy Web Service documentation. For the SAML AuthN flow to work, the Proxy config data needs to include the following properties:
SAML Integration Flows saml-int-flows
When an MVPD subscriber visits a Programmer’s site or application, Adobe Pass Authentication responds to an API call from the site or application with a list of MVPDs activated for that Programmer. The integration can be direct or proxied; there is no distinction between them to the Programmer. This allows Programmers to present the list of active MVPDs in any ways they see fit. The subscriber chooses their MVPD, and Adobe Pass Authentication redirects the subscriber to the MVPD’s specific Identity Provider.
In the case of an integrated MVPD Proxy, the integration is done between Adobe Pass Authentication and the MVPD Proxy. Adobe Pass Authentication sends the user authentication request to the MVPD Proxy, and the MVPD Proxy handles the redirection. In order for the MVPD Proxy to know where to redirect the user authentication request, Adobe Pass Authentication sends an MVPD identifier in the SAML authentication request. This identifier is the MVPD ID specified by the Proxy Provider by way of the Proxy Web Service as specified above.
Authentication authn-saml-int
In order for Adobe Pass Authentication to integrate with a Proxy MVPD the following will be required:
-
A Proxy MVPD provided list of Proxied MVPDs, pushed to the Adobe Proxy Web Service
-
SAML Metadata for the parent MVPD Proxy
-
(Recommended) - The Proxy MVPD handles additional redirection to the login page URL of the Proxied MVPD
-
The MVPD Proxy needs to open ports 443 and 80 for the following IPs:
- 192.150.4.5
- 192.150.10.200
- 192.150.11.4
- 4.53.93.130
- 193.105.140.131
- 193.105.140.132
- 76.74.170.204
- 63.140.39.4
- 66.235.132.38
- 66.235.139.38
- 66.235.139.168
Authentication SAML Request and Response authn-saml-req-resp
In the SAML AuthN request, Proxy integrations include the following additional property that needs to be handled by the MVPD Proxy. This property is necessary in order to correctly process the requestor on behalf of the Proxied MVPD, and to render the right login experience. (This property is highlighted in the sample request below.)
Scoping Property - Includes an IDPEntry item that includes the specific MVPD_ID and MVPD Name. This represents the MVPD that the user actually selected from the Programmer’s picker, and matches the MVPD_ID specified in the Proxy Web Service.
There is an additional scoping property for RequestorID that can be used to customize the login to the particular brand of the Programmer (if needed). Or, it can be used simply for analytics on where the request is originating.
In the SAML AuthN response, the Proxy MVPD should specify the Proxied MVPD as the IdP Entity in the following properties:
- SAML Issuer
- Name Qualifier
Sample AuthN Request
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://sp.auth-staging.adobe.com/sp/saml/SAMLAssertionConsumer"
Destination="DESTIONATION_URL"
ForceAuthn="false"
ID="_4cb70308-b445-462e-b044-f7d0323dde0c"
IsPassive="false"
IssueInstant="2012-04-03T15:41:25.884Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://saml.sp.auth-staging.adobe.com
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...........
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="https://saml.sp.auth-staging.adobe.com"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" />
<samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:IDPEntry Name="MVPD NAME" ProviderID="MVPD_ID"/>
</samlp:IDPList>
<samlp:RequesterID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
RequestorID-Value
</samlp:RequesterID>
</samlp:Scoping>
</samlp:AuthnRequest>
Sample AuthN Response
<samlp:Response Destination="https://sp.auth-staging.adobe.com/sp/saml/SAMLAssertionConsumer"
ID="_1d39be60-66de-012f-bfd5-0030488a31a4"
InResponseTo="_4cb70308-b445-462e-b044-f7d0323dde0c"
IssueInstant="2012-04-12T15:00:06Z"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER_VALUE</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_1d39c280-66de-012f-bfd6-0030488a31a4"
IssueInstant="2012-04-12T15:00:06Z"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml:Issuer>ISSUER_VALUE</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...........
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="IDP_NameQualifier"
SPNameQualifier="https://saml.sp.auth-staging.adobe.com">
oRD6ALr5jlzkofNR1OaSCDbC6GaXV1cq8gF7Eotf
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_4cb70308-b445-462e-b044-f7d0323dde0c"
NotOnOrAfter="2012-04-12T15:10:06Z"
Recipient="https://sp.auth-staging.adobe.com/sp/saml/SAMLAssertionConsumer" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2012-04-12T15:00:06Z"
NotOnOrAfter="2012-04-12T15:10:06Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.sp.auth-staging.adobe.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2012-04-12T15:00:06Z"
SessionIndex="f6d15540cf27966115028d35c94eefb9" >
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Authorization authz-proxy-mvpd-saml-int
For the authorization part, the MVPD would need to accept for authorization the resource specified by the Programmer. In most cases, this is a string identifier for the channel network, such as TBS or TNT.
Authorization SAML Request and Response authz-saml-req-resp
In the AuthZ response, the ISSUER must match the ISSUER from the SAML Response which should be the Proxied MVPD identifier.
Sample AuthZ XACML Request
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header/>
<soap11:Body>
<xacml-samlp:XACMLAuthzDecisionQuery
xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol"
ID="_c2346a8f2c9cfb205b6b8bf12c2db4d0" IssueInstant="2012-04-12T15:07:51.280Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.sp.auth-staging.adobe.com
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c2346a8f2c9cfb205b6b8bf12c2db4d0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml xacml-context xacml-samlp"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>GmEkSZI+SDS1i4vV2ApGh0mx1X4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>..........</ds:SignatureValue>
</ds:Signature>
<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-context:AttributeValueType">
oRD6ALr5jlzkofNR1OaSCDbC6GaXV1cq8gF7Eotf
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Subject>
<xacml-context:Resource>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-context:AttributeValueType">TBS
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-context:AttributeValueType">VIEW
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Action>
<xacml-context:Environment>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
<xacml-context:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-context:AttributeValueType">127.0.0.1
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Environment>
</xacml-context:Request>
</xacml-samlp:XACMLAuthzDecisionQuery>
</soap11:Body>
</soap11:Envelope>
Sample AuthZ XACML Response (Authorization Granted)
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_311fa030-66df-012f-bfd7-0030488a31a4"
IssueInstant="2012-04-12T15:07:49Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_311fa030-66df-012f-bfd7-0030488a31a4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2+fDBPYnOT1w5dufJZoVsgckRkM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>..........</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>.........</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<xacml-samlp:Assertion xmlns:xacml-samlp="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_311fa5a0-66df-012f-bfd8-0030488a31a4" IssueInstant="2012-04-12T15:07:49Z"
Version="2.0">
<xacml-samlp:Issuer>ISSUER</xacml-samlp:Issuer>
<xacml-samlp:Conditions NotBefore="2012-04-12T15:07:49Z" NotOnOrAfter="2012-04-13T15:07:49Z">
<xacml-samlp:AudienceRestriction>
<xacml-samlp:Audience>https://saml.sp.auth-staging.adobe.com</xacml-samlp:Audience>
</xacml-samlp:AudienceRestriction>
</xacml-samlp:Conditions>
<xacml-saml:XACMLAuthzDecisionStatement
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Result ResourceId="TBS">
<xacml-context:Decision>Permit</xacml-context:Decision>
</xacml-context:Result>
</xacml-context:Response>
</xacml-saml:XACMLAuthzDecisionStatement>
</xacml-samlp:Assertion>
</samlp:Response>
</soap-env:Body>
</soap-env:Envelope>
Sample AuthZ XACML Response (Authorization Denied)
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_69ed8d80-66df-012f-bfda-0030488a31a4"
IssueInstant="2012-04-12T15:09:24Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_69ed8d80-66df-012f-bfda-0030488a31a4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2SXNFA4pb/283wq5FVQdp4Ms5SQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>........</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>........</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<xacml-samlp:Assertion xmlns:xacml-samlp="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_69ed91e0-66df-012f-bfdb-0030488a31a4" IssueInstant="2012-04-12T15:09:24Z"
Version="2.0">
<xacml-samlp:Issuer>ISSUER</xacml-samlp:Issuer>
<xacml-samlp:Conditions NotBefore="2012-04-12T15:09:24Z" NotOnOrAfter="2012-04-13T15:09:24Z">
<xacml-samlp:AudienceRestriction>
<xacml-samlp:Audience>https://saml.sp.auth-staging.adobe.com</xacml-samlp:Audience>
</xacml-samlp:AudienceRestriction>
</xacml-samlp:Conditions>
<xacml-saml:XACMLAuthzDecisionStatement
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Result ResourceId="NOT_Authorized_Resouce">
<xacml-context:Decision>Deny</xacml-context:Decision>
</xacml-context:Result>
</xacml-context:Response>
</xacml-saml:XACMLAuthzDecisionStatement>
</xacml-samlp:Assertion>
</samlp:Response>
</soap-env:Body>
</soap-env:Envelope>