Establishing a trust for Collaborative Review
Establish a trust for Collaborative Review with a Security Token Service.
For Collaborative Review to integrate with a Security Token Service we need to first establish a trust on the Security Token Service.
To achieve this we first need the identifier of Collaborative Review . This is the URL of Collaborative Review . e.g. https://example.com/LC/.
The Security Token Service generates tokens that are processed by Collaborative Review . For the token to be valid and useful the following conditions have to be met:
- The token format must be SAML1.1 (urn:oasis:names:tc:SAML:1.0:assertion). For example in the generated token there should be an element
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType> - You have a set of claims to drive the Collaborative Review authorization.
The generated token's attribute composition must be as follows:
| Name | Claim type | Required |
|---|---|---|
| Name identifier | Yes | |
| Given name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Yes |
| Surname | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Yes |
| Email address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Yes |
| Role | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | No |
| Group | http://schemas.xmlsoap.org/claims/group | No |
| Display Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname | No |
| Department | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department | No |
Here is an example token where private information is deducted:
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-11-05T09:55:42.162Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-11-05T10:55:42.162Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://example.com/LiveContent/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_2609f1cf-a664-49eb-bffd-68ab598724e9" Issuer="deducted" IssueInstant="2015-11-05T09:55:42.169Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2015-11-05T09:55:42.162Z" NotOnOrAfter="2015-11-05T10:55:42.162Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://example.com/LiveContent/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>user@example.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>user@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="group" AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="displayname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="department" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>deducted</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2015-11-05T09:55:42.106Z">
<saml:Subject>
<saml:NameIdentifier>user@example.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_2609f1cf-a664-49eb-bffd-68ab598724e9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>deducted</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>deducted</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>deducted</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>