Web Authentication Service Interface

Request Parameter Required/ Optional Description

Request Parameter	Required/ Optional	Description
`VERSION=1.1`	`R`	Version parameter; the value must be `1.1`.
`REQUEST=GetSAMLResponse`	`R`	Operation name; the value must be `GetSAMLResponse`.
`METHOD=<authnmethod-urn>`	`R`	Authentication method; prescribes the value anticipated in the `CREDENTIALS` parameter.
`CREDENTIALS=<credential>`	`R`	User’s authentication information, encoded as required by the authentication method.
`ANONYMOUS=true\|false`	`O`	Flag as to whether or not a ticket is issued for an anonymous user.
`RETURNFORMAT=<format>`	`O`	Prescribes the format to be returned by the WAS. The default is the generation of a samlp:Response Element; if `RETURNFORMAT=ASSERTION` is set, only the `saml:Assertion` Element is delivered.

VERSION=1.1

R

Version parameter; the value must be 1.1.

REQUEST=GetSAMLResponse

R

Operation name; the value must be GetSAMLResponse.

METHOD=<authnmethod-urn>

R

Authentication method; prescribes the value anticipated in the CREDENTIALS parameter.

CREDENTIALS=<credential>

R

User’s authentication information, encoded as required by the authentication method.

ANONYMOUS=true|false

O

Flag as to whether or not a ticket is issued for an anonymous user.

RETURNFORMAT=<format>

O

Prescribes the format to be returned by the WAS. The default is the generation of a samlp:Response Element;

if RETURNFORMAT=ASSERTION is set, only the saml:Assertion Element is delivered.

The following authentication methods (METHOD) are supported:

urn:opengeospatial:authNMethod:OWS:1.0:password: Password authentication. The CREDENTIALS parameter must contain the username followed by the password as a Base64-encoded, comma separated pair.

Example: CREDENTIALS=dGVzdA==,dGVzdA==
urn:opengeospatial:authNMethod:OWS:1.0:samlresponse: Denotes the SAML ticket authentication. The CREDENTIALS parameter must contain a valid base64-encoded samlp:Response or saml:Assertion Element, as issued by the WAS. This method can be employed for example when renewing tickets (before their validity has expired).

The preceding described parameters can be appended to the link http(s)://[HOST]/administration/WAS as URL parameters, which means that HTTP-GET is used.

Example of password authentication (username: test, password: test)

http://localhost:8080/administration/WAS?VERSION=1.1&REQUEST=GetSAMLResponse&METHOD=urn:opengeospatial:authNMethod:OWS:1.0:password&CREDENTIALS=dGVzdA==,dGVzdA==

Example of an anonymous request

http://localhost:8080/administration/WAS?VERSION=1.1&REQUEST=GetSAMLResponse&METHOD=urn:opengeospatial:authNMethod:OWS:1.0:password&ANONYMOUS=TRUE&CREDENTIALS=

The result of WAS authentication is a Base64-encoded samlp:Response element. When this ticket has been decoded, it looks like this:

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2010-02-12T10:42:35.765Z"
    MajorVersion="1" MinorVersion="1" ResponseID="_84902b97cd7c2f66beeed4500dc475a1">
    <Status>
        <StatusCode Value="samlp:Success"/>
    </Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
        AssertionID="_040bf74af75f3d3456aa88bacc19742c" IssueInstant="2010-02-12T10:42:35.765Z"
        Issuer="ct-security" MajorVersion="1" MinorVersion="1">
        <Conditions NotBefore="2010-02-12T10:42:35.280Z" NotOnOrAfter="2010-02-12T11:42:35.280Z"/>
        <AuthenticationStatement AuthenticationInstant="2010-02-12T10:42:35.280Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
            <Subject>
                <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                    anonymous-946d7e7b-c176-4945-b54b-822e34101514
                </NameIdentifier>
            </Subject>
        </AuthenticationStatement>
        <AttributeStatement>
            <Subject>
                <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">anonymous-946d7e7b-c176-4945-b54b-822e34101514</NameIdentifier>
            </Subject>
            <Attribute AttributeName="gender" AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">M</AttributeValue>
            </Attribute>
            <Attribute AttributeName="urn:conterra:names:sdi-suite:policy:attribute:group-name" AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">Gast</AttributeValue>
            </Attribute>
            <Attribute AttributeName="urn:conterra:names:sdi-suite:policy:attribute:user-id" AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">2</AttributeValue>
            </Attribute>
            <Attribute AttributeName="urn:conterra:names:sdi-suite:policy:attribute:group-id"  AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">2</AttributeValue>
            </Attribute>
            <Attribute AttributeName="mail" AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">m.reiprecht@conterra.de</AttributeValue>
            </Attribute>
            <Attribute AttributeName="urn:conterra:names:sdi-suite:policy:attribute:role"  AttributeNamespace="urn:ct:names">
                <AttributeValue xsi:type="xsd:string">gast</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
    </Assertion>
</Response>