SAML authentication event examples

Following are examples of various steps required to configure SAML as the authentication method for your product. These examples are referenced on the Edit authentication page.

Example A—SUBSCRIPTION_ORDER event

{
"type": "SUBSCRIPTION_ORDER",
"marketplace": {
   "partner": "APPDIRECT",
   "baseUrl": "https://marketplace.exampletelco.com"
 },
...
 "links": [
   {
     "rel": "samlIdp",
     "href": "https://marketplace.exampletelco.com/api/account/v2/subscriptions/9b81dd5f-5afb-494e-a337-1fcd7c166f98/saml"
   }
 ]
}

Example B—SAML metadata

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://marketplace.exampletelco.com/saml/1324f505-af41-4a71-8e0b-515a38bef4bb">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICyDCCAbCgAwIBAgIGAWDhTY89MA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNVBAoM
GkNPTVBBTllfRU5USVRMRU1FTlQtNzI3MzcxMB4XDTE4MDEwOTE4MjA0NFoXDTIz
MDExMDE4MjA0NFowJTEjMCEGA1UECgwaQ09NUEFOWV9FTlRJVExFTUVOVC03Mjcz
NzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb+Z88P3kUo3jKLeo2
EnOrB2M7gtUEPbAd4TCwGJzCjIs0NuMnVeOoKUEnr+s5TbSRBqp4d4YuLjviILT5
LVABY7r1ODOCou7MmuqWaeiZc0W12FvwjeZ37BdULYTr4pRAZFkdBIaK+AC26r+E
v1jr8DgdAWohKWfSFxM3+mB0eWKZzExeewgxUKdBIW83r+puk2jdG05CWkLFzQ9t
gN6GcTkD9oQmhxgA8WXANjg7pDfpZ6UaWI2sd55O/OnVDoLKUt4LFZ/1HH8QLRuF
RW+meIkc16NVM6QCdreAvTY5phfQQapaLfiGSq/2/i+sWwjSYRazMqgpZOwzJBOp
ly7hAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAI6ub/fdEwAeBaNDD19lYXN6iSMq
JwKEnhRb6yRR9//GFf2mF7PxPiuYG34h0oOBHH4WraqcMJ1D5aeV9WVIthXDC6zc
fvnV5S/CQwB8gOkB+ueVQsuxi4RpbN0RJKOeeMIudTCkSS3N2CaS3hKzWXbLOXxy
nLO4xzp8Z2ymOH/FLbbtU7Ogjk1yhs418+bHJQ5cYlwG1vExnmUppXXpz6Fs/pnp
CGLhkhziskwFr9C6++LMUjpH4LXs1EVK1lYLVJBKcwhMssJgn/yqCWR0ZDGPN1XG
gf6/U7Tyjz3Jz/oIzw1a6WIany22BGWxHDEoT90o/Uq3UJeJTfdPJ09FsSI=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://marketplace.exampletelco.com/saml/idp/login/1324f505-af41-4a71-8e0b-515a38bef4bb"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Example C—SAML response

<?xml 
version="1.0" 
encoding="UTF-8"?>
<saml2p:Response 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    Destination="https://www.isv.com/acs" 
    ID="_ce1e56e1d023c5577d07ba0b895c13bd" 
    InResponseTo="_2CAAAAVtZX3lYME8wQTAwMDAwMDAwMDAzAAAAzvuJvcL_kWAbzchKB6aZbvbWSsygYVe6tvnG_1X13kwKjVKC8Fx0mhYBGRmDBwzXN8Ec8qZEXKEij_47Or67wm9M5WV1pQTBoCB0gpEBaiIRnJ10Svb3E8yjXLMVvFBgAHat4vSlJwonJKEtuDMrP85X8oLkpbnugB30Uv3sijcdElUzPPqX40UviK467N-0pHMnArPstT8Sw7baFfxeBlu0uAybRrcs_-7pvNNBjzYOyNxFr1mHF096aCjQ2negLA" 
    IssueInstant="2017-03-13T19:39:02.248Z" 
    Version="2.0">
    <saml2:Issuer 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://marketplace.exampletelco.com/saml/c5dc9b6f-e4c8-4ffc-83eb-6ad7eabf6fa8
    </saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
        ID="_b284310643f158edfca0ae1e22e19bd2" 
        IssueInstant="2017-03-13T19:39:02.171Z" 
        Version="2.0" 
        xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer>https://marketplace.exampletelco.com/saml/c5dc9b6f-e4c8-4ffc-83eb-6ad7eabf6fa8</saml2:Issuer>
        <ds:Signature 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference 
                    URI="#_b284310643f158edfca0ae1e22e19bd2">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces 
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
                                PrefixList="xs"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>AzARsiX+uijCy/
                        p3vYftXLj7IR0=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>CTPrekQRY5Cb+eNffcr8/o3eHJi+GENbyKxzAIcBP0dpkoSzy6CiZfJjeYxw3TEmGbsT3910x9YYYzcDLCfgz5dZ880Rzo5hQ23dSvSwEhc5QTeMPtbhKK4RCoQj/teGVjxz9U6tsjRjJzILoOPU5DXmbmaz8yvoKvuIXjBYSkOtQmTGPeUBm0HalObkSM1zgycG4BrpRa01HO6xCnZ79IYxYgVEmmwbjOenxN55H6XgcjhSn1JK3fo5UiPeo/qD8KUoR1autT/kyGQ0i039Hh6AH6EicbxKHA5+gDdt20m6ZO/PRXbHhdkJkttMMWL/sENTfjxf/cp+
                UhRQ8N2ixA==
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIICyDCCAbCgAwIBAgIGAVqQG0NgMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNVBAoMGkNPTVBBTllf
RU5USVRMRU1FTlQtNTM0OTkzMB4XDTE3MDMwMTE3Mzk1MFoXDTIyMDMwMjE3Mzk1MFowJTEjMCEG
A1UECgwaQ09NUEFOWV9FTlRJVExFTUVOVC01MzQ5OTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCv/PJhkC1keMNHn5uSINWwNCNbtfY+CVQYWF4H+GfyiWMZq1woarAt5l9gWRiUxcZN
7YvvDU+YRDZTyc4T5qNoZfww9t4YehqGWj+ZXBGeE8eguXC//nuoiwOYfv2AJ1ZDhtQGSxpbjFNF
9oJjv+l//hNREKSd7qf8CzVRoyc2+Qrx4nMcLcdWgLYAAOF1rtnif91YLNa7f16eI5hvpHEGZRT1
YcUKlpZE9MjRf0EhBxvzYP6kjTE1t1MEHsU5JylJYk3gqzxVmSB2MBIQi5qekgXyV0aIWQbLIBd9
k0xSmJifGGux58ldPi1O/zCRtAG/Wwmc+QEjkamwK97MdQMvAgMBAAEwDQYJKoZIhvcNAQEFBQAD
ggEBAIMWu19fz0a08+NwlJwGWm0oDKqjXAjGDReONizw5HjFlAXCwPUsGvJ2etWyWaY48/oKWxZO
FlkpAJOOVaPAhEI1xZcJNdhqYCUGtcFbQsBX3tIabe3CCU+CQUPEXUVyHMqTJOoRJqImTP2gQH38
15BJpj1F61P2a3/YEJHLB2qaMSH28rUHhRW1ub1syUApjL8w171WRhyqIXEUdc5Xn859EfXzGshB
r6XN9vPHbaaiWCirAq4g9jn/eud/QKChTtNmMgLU1Lsu1gLU4yKPWzXKIYA6mb9kS4LXEA6yFush
QNpFFSqW99N5QWfebwqReIyBwv/
                        Be4sFtifBYZn90ao=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.smith@testcompany.com
            </saml2:NameID>
            <saml2:SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData 
                    InResponseTo="_2CAAAAVtZX3lYME8wQTAwMDAwMDAwMDAzAAAAzvuJvcL_kWAbzchKB6aZbvbWSsygYVe6tvnG_1X13kwKjVKC8Fx0mhYBGRmDBwzXN8Ec8qZEXKEij_47Or67wm9M5WV1pQTBoCB0gpEBaiIRnJ10Svb3E8yjXLMVvFBgAHat4vSlJwonJKEtuDMrP85X8oLkpbnugB30Uv3sijcdElUzPPqX40UviK467N-0pHMnArPstT8Sw7baFfxeBlu0uAybRrcs_-7pvNNBjzYOyNxFr1mHF096aCjQ2negLA" 
                    NotOnOrAfter="2017-03-13T19:49:02.171Z" 
                    Recipient="https://www.isv.com/acs"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions 
            NotBefore="2017-03-13T19:34:02.171Z" 
            NotOnOrAfter="2017-03-13T19:49:02.171Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://www.isv.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement 
            AuthnInstant="2017-03-13T19:39:02.171Z" 
            SessionIndex="_08aae2b77cee92f3a8b259b3a32b6479">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute 
                Name="Email">
                <saml2:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">john.smith@testcompany.com
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute 
                Name="FirstName">
                <saml2:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">John
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute 
                Name="LastName">
                <saml2:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Smith
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

 

Example D—SAML request

<?xml 
version="1.0" 
encoding="UTF-8"?>
<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    AssertionConsumerServiceURL="https://www.isv.com/acs" 
    Destination="https://marketplace.exampletelco.com/saml/idp/login/c5dc9b6f-e4c8-4ffc-83eb-6ad7eabf6fa8" 
    ID="_2CAAAAVtZX3lYME8wQTAwMDAwMDAwMDAzAAAAzvuJvcL_kWAbzchKB6aZbvbWSsygYVe6tvnG_1X13kwKjVKC8Fx0mhYBGRmDBwzXN8Ec8qZEXKEij_47Or67wm9M5WV1pQTBoCB0gpEBaiIRnJ10Svb3E8yjXLMVvFBgAHat4vSlJwonJKEtuDMrP85X8oLkpbnugB30Uv3sijcdElUzPPqX40UviK467N-0pHMnArPstT8Sw7baFfxeBlu0uAybRrcs_-7pvNNBjzYOyNxFr1mHF096aCjQ2negLA" 
    IssueInstant="2017-03-13T19:38:09.152Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Version="2.0">
    <saml:Issuer 
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.isv.com
    </saml:Issuer>
</samlp:AuthnRequest>