Service Provider Login URL

LassoLogin Single Sign-On and Federation Profile The Single Sign On process allows a user to log in once to an identity provider (IdP), and to be then transparently loged in to the required service providers (SP) belonging to the IP "circle of trust". Subordinating different identities of the same user within a circle of trust to a unique IP is called "Identity Federation". The liberty Alliance specifications allows, thanks to this federation, strong and unique authentication coupled with control by the user of his personnal informations. The explicit user agreement is necessary before proceeding to Identity Federation. The service provider must implement the following process: creating an authentication request (#LassoLibAuthnRequest) with lasso_login_init_authn_request(); sending it to the identity provider with lasso_login_build_authn_request_msg(); receiving and processing the answer: either an authentication response with lasso_login_process_authn_response_msg() or an artifact with lasso_login_init_request() then sending the request to the IdP with lasso_login_build_request_msg() and processing the new answer with lasso_login_process_response_msg(). Service Provider Login URL LassoLogin *login; login = lasso_login_new(server); lasso_login_init_authn_request(login, "http://identity-provider-id/", LASSO_HTTP_METHOD_REDIRECT); /* customize AuthnRequest */ request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request); request->NameIDPolicy = strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED); request->ForceAuthn = TRUE; request->IsPassive = FALSE; request->ProtocolProfile = strdup(LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART); lasso_login_build_authn_request_msg(login); /* redirect user to identity provider */ printf("Location: %s\n\nRedirected to IdP\n", LASSO_PROFILE(login)->msg_url); Service Provider Assertion Consumer Service URL LassoLogin *login; char *request_method = getenv("REQUEST_METHOD"); char *artifact_msg = NULL, *lares = NULL, *lareq = NULL; char *name_identifier; lassoHttpMethod method; login = lasso_login_new(server); if (strcmp(request_method, "GET") == 0) { artifact_msg = getenv("QUERY_STRING"); method = LASSO_HTTP_METHOD_REDIRECT; } else { /* read submitted form; if it has a LAREQ field, put it in lareq, * if it has a LARES field, put it in lares */ if (lareq) { artifact_msg = lareq; } else if (lares) { response_msg = lares; } else { /* bail out */ } method = LASSO_HTTP_METHOD_POST; } if (artifact_msg) { lasso_login_init_request(login, artifact_msg, method); lasso_login_build_request_msg(login); /* makes a SOAP call, soap_call is NOT a Lasso function */ soap_answer_msg = soap_call(LASSO_PROFILE(login)->msg_url, LASSO_PROFILE(login)->msg_body); lasso_login_process_response_msg(login, soap_answer_msg); } else if (response_msg) { lasso_login_process_authn_response_msg(login, response_msg); } /* looks up name_identifier in local file, database, whatever and gets back * two things: identity_dump and session_dump */ name_identifier = LASSO_PROFILE(login)->nameIdentifier lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump); lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump); lasso_login_accept_sso(login); if (lasso_profile_is_identity_dirty(LASSO_PROFILE(login))) { LassoIdentity *identity; char *identity_dump; identity = lasso_profile_get_identity(LASSO_PROFILE(login)); identity_dump = lasso_identity_dump(identity); /* record identity_dump in file, database... */ } if (lasso_profile_is_session_dirty(LASSO_PROFILE(login))) { LassoSession *session; char *session_dump; session = lasso_profile_get_session(LASSO_PROFILE(login)); session_dump = lasso_session_dump(session); /* record session_dump in file, database... */ } /* redirect user anywhere */ printf("Location: /\n\nRedirected to site root\n"); Single sign-on profile for the current transaction; possibly an assertionArtifact to be used by the service provider in its "assertionConsumerServiceURL" and the assertion created or received for the principal. @protocolProfile: @assertionArtifact: @assertion: Identifies the two possible profiles for Single Sign-On and Federation. @LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART: @LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST: @server: @Returns: @login: @login: @Returns: @server: @dump: @Returns: @login: @Returns: @login: @http_method: @Returns: @login: @authenticationMethod: @authenticationInstant: @reauthenticateOnOrAfter: @notBefore: @notOnOrAfter: @Returns: @login: @Returns: @login: @Returns: @login: @Returns: @login: @remote_providerID: @Returns: @login: @remote_providerID: @http_method: @Returns: @login: @remote_providerID: @Returns: @login: @response_msg: @response_http_method: @Returns: @login: @Returns: @login: @Returns: @login: @authn_request_msg: @Returns: @login: @authn_response_msg: @Returns: @login: @request_msg: @Returns: @login: @response_msg: @Returns: @login: @authentication_result: @is_consent_obtained: @Returns: