Shibboleth at NC State » Technical Documentation » Shibboleth Login Details

Detailed Trace of a Shibboleth Login

Updated for 2022 - IdP version 4.2.x and Duo Universal Prompt

  1. Client visits a website protected by a Shibboleth SP

    • asks for http://website.ncsu.edu/secure/
    • httpd server asks shibd server for credentials
    • shibd hasn't seen this client before
    • shibd saves the return URL in its memory (this appears to be keyed off the following SAML message ID)
    • shibd issues an _opensaml_req_ss... cookie
    • shibd returns a redirect to the IdP, with a SAML message to initiate a login
  2. Client visits the IdP site to initiate a login

    • asks for https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?...
    • IdP verifies the SAML request, makes sure it knows about the SP
    • IdP issues a JSESSION cookie to track the login process
    • client gets sent to an intermediate page
  3. Client follows redirect to GET https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s1

    • page content uses javascript to force the browser to POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s1
    • POST request includes any previous IdP session information from local storage
      • shib_idp_ls_value.shib_idp_session_ss - encrypted
      • shib_idp_ls_value.shib_idp_persistent_ss - encrypted
    • includes the JSESSION cookie
    • successful POST redirects to the login page
  4. Client enters Unity ID and password on the login page, clicks to POST

    • POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s2
    • includes the JSESSION cookie
    • IdP verifies the username and password
    • client gets sent to next step
  5. Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s3

    • includes the JSESSION cookie
    • this step starts the Duo check
    • client gets sent to the next step
  6. Client follows redirect to https://shib.ncsu.edu/idp/profile/Authn/Duo/2FA/authorize?conversation=e1s3

    • includes the JSESSION cookie
    • IdP prepares a URL to request an OpenID login to Duo
    • URL includes a return URL on shib.ncsu.edu, and encoded session information
    • client gets sent to that Duo URL
  7. Client is sent to login to Duo at https://api-367267e6.duosecurity.com/oauth/v1/authorize?scope=openid...

    • Duo accepts the auth request
    • redirects the client within Duo to complete the authentication
    • Duo handles its own session cookies as needed
    • upon successful verification of 2FA, client returns to the IdP
  8. Client returns to Shibboleth at https://shib.ncsu.edu/idp/profile/Authn/Duo/2FA/duo-callback?state=...

    • includes the JSESSION cookie
    • IdP verifies the Duo OpenID message indicating success
    • client gets sent to the next step
  9. Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s3&eventIdproceed=1

    • includes the JSESSION cookie
    • IdP has confirmed that Username/Password and Duo authentications have passed successfully
    • IdP creates a new authenticated session
    • IdP returns an idp session cookie: shib_idp_session, only shared to https://shib.ncsu.edu/idp urls.
    • client is bounced to a page that checks for attribute release.
  10. Client approves the attribute release page on https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s4

    • POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s4
    • includes the JSESSION and shib_idp_session cookies
    • success sends the client to the next step
  11. Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s5

    • includes the JSESSION and shib_idp_session cookies
    • that page does a javascript POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s5
    • manages local storage of the idp session and attribute / consent, all encrypted
    • page content uses javascript to force the browser to POST a SAML message back to the SP.
    • WARNING: if the SP is not an https URL, this javascript POST will throw an error message to the user warning that they are leaving a secured page for an unsecured one.
  12. Client POSTs the SAML message back to the SP

    • POST to http://website.ncsu.edu/Shibboleth.sso/SAML2/POST
    • POST data includes the RelayState with return session info
    • sends cookie _opensaml_req_ss... which also has the return session info
    • SAML message contains:
      • InResponseTo = the ID of the initiating SAML message
      • an authentication statement with attributes
      • statement is signed by the IdP's private key
      • statement is encrypted to the SP's public cert
    • the SP decodes/verifies this message and starts a new session
    • SP issues a session cookie: _shibsession_6465666175... the name contains a hex-encoded copy of the SP entityID, the cookie is only valid for http://website.ncsu.edu/ URLs.
    • SP retrieves the originating URL from memory and issues a redirect back to that URL
  13. Client re-visits the website

    • asks for http://website.ncsu.edu/secure/
    • includes the _shibsession_6465666175... cookie
    • shibd retrieves the session and sends the attributes back to httpd
    • httpd allows the connection and returns the page content

References

These pages are found on the Shibboleth Wiki: