Detailed Trace of a Shibboleth Login
Updated for 2022 - IdP version 4.2.x and Duo Universal Prompt
Client visits a website protected by a Shibboleth SP
- asks for http://website.ncsu.edu/secure/
- httpd server asks shibd server for credentials
- shibd hasn't seen this client before
- shibd saves the return URL in its memory (this appears to be keyed off the following SAML message ID)
- shibd issues an
_opensaml_req_ss...
cookie - shibd returns a redirect to the IdP, with a SAML message to initiate a login
Client visits the IdP site to initiate a login
- asks for https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?...
- IdP verifies the SAML request, makes sure it knows about the SP
- IdP issues a
JSESSION
cookie to track the login process - client gets sent to an intermediate page
Client follows redirect to GET https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s1
- page content uses javascript to force the browser to POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s1
- POST request includes any previous IdP session information from local storage
shib_idp_ls_value.shib_idp_session_ss
- encryptedshib_idp_ls_value.shib_idp_persistent_ss
- encrypted
- includes the
JSESSION
cookie - successful POST redirects to the login page
Client enters Unity ID and password on the login page, clicks to POST
- POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s2
- includes the
JSESSION
cookie - IdP verifies the username and password
- client gets sent to next step
Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s3
- includes the
JSESSION
cookie - this step starts the Duo check
- client gets sent to the next step
- includes the
Client follows redirect to https://shib.ncsu.edu/idp/profile/Authn/Duo/2FA/authorize?conversation=e1s3
- includes the
JSESSION
cookie - IdP prepares a URL to request an OpenID login to Duo
- URL includes a return URL on shib.ncsu.edu, and encoded session information
- client gets sent to that Duo URL
- includes the
Client is sent to login to Duo at https://api-367267e6.duosecurity.com/oauth/v1/authorize?scope=openid...
- Duo accepts the auth request
- redirects the client within Duo to complete the authentication
- Duo handles its own session cookies as needed
- upon successful verification of 2FA, client returns to the IdP
Client returns to Shibboleth at https://shib.ncsu.edu/idp/profile/Authn/Duo/2FA/duo-callback?state=...
- includes the
JSESSION
cookie - IdP verifies the Duo OpenID message indicating success
- client gets sent to the next step
- includes the
Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s3&eventIdproceed=1
- includes the
JSESSION
cookie - IdP has confirmed that Username/Password and Duo authentications have passed successfully
- IdP creates a new authenticated session
- IdP returns an idp session cookie:
shib_idp_session
, only shared to https://shib.ncsu.edu/idp urls. - client is bounced to a page that checks for attribute release.
- includes the
Client approves the attribute release page on https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s4
- POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s4
- includes the
JSESSION
andshib_idp_session
cookies - success sends the client to the next step
Client follows redirect to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s5
- includes the
JSESSION
andshib_idp_session
cookies - that page does a javascript POST to https://shib.ncsu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s5
- manages local storage of the idp session and attribute / consent, all encrypted
- page content uses javascript to force the browser to POST a SAML message back to the SP.
- WARNING: if the SP is not an https URL, this javascript POST will throw an error message to the user warning that they are leaving a secured page for an unsecured one.
- includes the
Client POSTs the SAML message back to the SP
- POST to http://website.ncsu.edu/Shibboleth.sso/SAML2/POST
- POST data includes the RelayState with return session info
- sends cookie
_opensaml_req_ss...
which also has the return session info - SAML message contains:
- InResponseTo = the ID of the initiating SAML message
- an authentication statement with attributes
- statement is signed by the IdP's private key
- statement is encrypted to the SP's public cert
- the SP decodes/verifies this message and starts a new session
- SP issues a session cookie:
_shibsession_6465666175...
the name contains a hex-encoded copy of the SP entityID, the cookie is only valid for http://website.ncsu.edu/ URLs. - SP retrieves the originating URL from memory and issues a redirect back to that URL
Client re-visits the website
- asks for http://website.ncsu.edu/secure/
- includes the
_shibsession_6465666175...
cookie - shibd retrieves the session and sends the attributes back to httpd
- httpd allows the connection and returns the page content
References
These pages are found on the Shibboleth Wiki:
- Flows and Config - another view of the login process
- SP Cookie Usage - cookies used by the Service Providers
- IdP Cookie Usage - cookies used by the Identity Providers (v2 only, now obsolete)