Previous: KERBEROS_V5, Up: Mechanisms


5.13 The SAML20 mechanism

The SAML20 mechanism makes it possible to use SAML in SASL, in a way that offloads the authentication exchange to an external browser.

The mechanism makes use of the following properties: GSASL_AUTHZID, GSASL_SAML20_IDP_IDENTIFIER, GSASL_SAML20_REDIRECT_URL, GSASL_SAML20_AUTHENTICATE_IN_BROWSER and GSASL_VALIDATE_SAML20.

In client mode, the mechanism will retrieve the GSASL_AUTHZID and GSASL_SAML20_IDP_IDENTIFIER properties and form a request to the server. The server will respond with a redirect URL stored in the GSASL_SAML20_REDIRECT_URL property, which the client can retrieve from the GSASL_SAML20_AUTHENTICATE_IN_BROWSER callback. The intention is that the client launches a browser to the given URL, and then proceeds with authentication. The server responds whether authentication was successful or not.

In server mode, the mechanism will invoke the GSASL_SAML20_REDIRECT_URL callback and the application can inspect the GSASL_AUTHZID and GSASL_SAML20_IDP_IDENTIFIER properties when forming the redirect URL. The URL is passed to the client which will hopefully complete authentication in the browser. The server callback GSASL_VALIDATE_SAML20 should check whether the authentication attempt was successful.