SessionIndex in SAML Response

Sam · August 29, 2015, 7:45am

How can we send SessionIndex in SAML Response using component space dll.
what will be the value for SessionIndex and what is the purpose of it.

Regards
Sam

ComponentSpace · August 29, 2015, 6:34pm

The session index is automatically included.
The SAML assertion includes an authentication statement which in turn includes the session index. As per the SAML specification, we use the assertion ID as the session index.
It’s primary purpose is during SAML logout to identify which sessions to logout.

Sam · September 1, 2015, 12:48pm

The authentication statement in SAML Assertion looks like the following,
<saml:AuthnStatement AuthnInstant=“2015-08-05T20:56:05.492Z”>
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
It did not contain session index. Are we missing anything?

Thanks,

ComponentSpace · September 1, 2015, 3:04pm

Are you using the SAML high-level API? If so, the SessionIndex is automatically included.
If you’re using the low-level API you need to set this yourself using the AuthnStatement.SessionIndex property.
We recommend using the high-level API if possible as it does a lot of this work for you.
Below is an example of a SAML assertion generated by our high-level API. You’ll see that it includes the SessionIndex.

<saml:Assertion Version=“2.0” ID=“_892a22d8-71d1-4cd2-98b5-089fa3efb207” IssueInstant=“2015-08-06T20:48:39.97Z” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
saml:Issuer http://localhost/ExampleIdentityProvider</saml:Issuer>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>idp-user</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=“2015-08-06T20:51:39.97Z” Recipient=“http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx” />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2015-08-06T20:45:39.97Z” NotOnOrAfter=“2015-08-06T20:51:39.97Z”>
saml:AudienceRestriction
saml:Audience http://localhost/ExampleServiceProvider</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2015-08-06T20:48:39.97Z” SessionIndex=“_892a22d8-71d1-4cd2-98b5-089fa3efb207”>
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement
<saml:Attribute Name=“membership-level”>
<saml:AttributeValue xsi:type=“xs:string” xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“platinum</saml:AttributeValue”>http://www.w3.org/2001/XMLSchema-instance">platinum</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“membership-number”>
<saml:AttributeValue xsi:type=“xs:string” xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“12345678</saml:AttributeValue”>http://www.w3.org/2001/XMLSchema-instance">12345678</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>