Symantec Access Management

 View Only
Expand all | Collapse all

How SAML Assertion Processed at SP side

Jump to Best Answer
  • 1.  How SAML Assertion Processed at SP side

    Posted Aug 12, 2018 12:40 PM



    Can any one explain in detail , how SAML Assertion processed at SP side ? means how assertion is verified and which component will process and how Policy Server is contacted and which cookies were created?




  • 2.  Re: How SAML Assertion Processed at SP side

    Broadcom Employee
    Posted Aug 12, 2018 09:56 PM

    Anyone can help Naga?

  • 3.  Re: How SAML Assertion Processed at SP side
    Best Answer

    Posted Aug 13, 2018 11:57 AM

    Naga nagarajureddepalli44


    A lot of things can differ based on the different parameters,

    • Architectural Model (WA-WAOP or CA AG).
    • IdP Initiated OR SP Initiated (with SAML REQUEST w / wo RelayState).
    • HTTP POST or HTTP Artifact Binding.
    • Signing / Verification.
    • Encryption / Decryption (with levels).


    Thus if you have a specific configuration / flow in mind that would better to speak about.


    However the best way to learn is being proactive and doing some self investigation; thereafter seeking pointed / specific questions. Here is what I'd do.


    1. Configure a simple working SAML flow.
    2. Use a tool like fiddler to see what redirects and cookies are getting generated.
    3. Enable Tracing on WAOP (FWSTrace.log) and Policy Server (smtracedefault.log - make sure FED TXN is enabled in tracing). Map the browser txns with FWSTrace.log and smtracedefault.log.
    4. Configure additional tweaks / configurations over basic / simple working SAML flow. Repeat above two steps.



    For your ease, In general words here is the most common generic things that occurs enroute.....

    1. Once a SAML RESPONSE is received at SP end, it'd be BASE64 encoded. The first thing would be to BASE64 decode the SAML RESPONSE to expose the XML document.
    2. Once the XML Document is retrieved typically we would check if the IdP ID matches a configuration on SP end. We need to know against which partnership should this SAML RESPONSE be mapped.
    3. Once the validity of IdP ID is ascertained, then the most common generic thing that happens is decryption of the Assertion.
    4. Once the Assertion is decrypted then the most common generic thing is Signature Validation.
    5. Once all above 3 are successfully completed, the disambiguation process kicks in. In most cases read the username from NameID and search for that value in User Directory.
    6. If user is found then an disambiguation succeeds. But hold on, we also check if the Assertion is within the Validity Duration and in many cases if it is within the OneTime clause. If all of these PASS, then Authentication success if fired.
    7. SMSession is generated (WAOP code set the SMSESSION Cookie in this case).
    8. Thereafter a request is redirect to the TARGET URL / APP defined within the partnership.


    As I mentioned this is very high level, based on your configurations, many things will get added into this.



    What Cookies are created.





  • 4.  Re: How SAML Assertion Processed at SP side

    Posted Aug 15, 2018 01:25 AM

    Thanks a Lot Dennis for your detail explanation

  • 5.  Re: How SAML Assertion Processed at SP side

    Posted Aug 13, 2018 01:32 PM

    Can you check the below link :


    Configure Single Sign-on at the SP - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 


    This might help you,