Selerix Developer Tools
SAML v2.0 Elemental Breakdown
This topic describes the elements and attributes that comprise the unencrypted SAML v2.0 XML sample. It identifies which elements are required, the type of data, and distinguishes between Selerix proprietary elements and attributes and those that are part of the common SAML standard.
Several standard SAML values are defined at the top of the SAML XML. Set the orange values as appropriate for your enrollment case and the type of information you are transmitting to BenSelect.
|
Element |
Attribute |
Required |
Type |
Description |
|
Response |
ID |
Standard |
String |
GUID you define as part of the standard SAML response. Not used by BenSelect. |
|
Response |
IssueInstant |
Yes |
DateTime in UTC |
Reflects when you created the SAML. All IssueInstant attribute values anywhere in the SAML should be the same. |
|
Response |
Destination |
Yes |
String |
Your unique BenSelect enrollment URL, passing the SSO Case ID defined for the case in the path argument. |
|
Reference |
URI |
Yes |
String |
Should match the ID attribute of the Response element. |
|
DigestValue |
|
Yes |
String |
Base64-encoded value of the 160-bit SHA-1 digest string. See: https://www.w3.org/TR/xmldsig-core/#sec-DigestValue |
|
SignatureValue |
|
Yes |
String |
Base64-encoded actual value of the digital signature. See: https://www.w3.org/TR/xmldsig-core/#sec-SignatureValue |
|
X509Certificate |
|
Yes |
String |
Base64-encoded public X.509 certificate used to verify the message signature. |
<samlp:Response ID="dc7625f4-34b5-445b-80a8-fb82736958d5" Version="2.0" IssueInstant="2017-03-29T18:37:04Z"
Destination="https://benselect.com/Enroll/Login.aspx?path=BES"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">BenefitEnrollmentServices</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#dc7625f4-34b5-445b-80a8-fb82736958d5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>HRwpFkr0fXsutvKjtccTTMgOfro=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Z3guGHKpnQqNDz+Gr5dB1MSiml6kA/XlUoVXGkfr4+Xl1xd5eEdNNciSWEE3cRUA7FhB9Vg96SVT2skskyB4PUSLk3I50rnz8OMhfk+fZ789Iv2Z6dG9vXk40I/xAh9zHAOaEs01rZKJsvk/pkx2UjHI0531rAe17VnZeFg9CLE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFSjCCBDKgAwIBAgIRAOeKzOuXpJC6fOyrXo9hDAAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEwMC4GA1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTAxODAwMDAwMFoXDTE0MTIyODIzNTk1OVowgdoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwU5MTMxMTELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkNoYXRzd29ydGgxITAfBgNVBAkTGDk1MDAgVG9wYW5nYSBDYW55b24gQmx2ZDEkMCIGA1UEChMbQmVuZWZpdCBTZXJ2aWNlIENlbnRlciBJbmMuMQ8wDQYDVQQLEwZPbmxpbmUxHDAaBgNVBAsTE1NlY3VyZSBMaW5rIFNTTCBQcm8xITAfBgNVBAMTGHd3dy5teWJlbmVmaXRjaG9pY2VzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhqRt+4XGn+vwvwR9GCHdg4sToLJNybtCSCVoPAMJfRrOWPfHd2Zg2w4EAgIG/UJFydUekAEAmZIMMKGbDhIdy58H/uA0iyRA6Ue7Zj7Yzhsr/46M/xx9t3q98HXDjnNHo03cEGGf0RD9BdVTvTS5oCDoT2DKQEn8GZhI2pUPcmUCAwEAAaOCAgQwggIAMB8GA1UdIwQYMBaAFDxB4o8ICKlMJYmNbcU40PyFjGIXMB0GA1UdDgQWBBRWLXhbimwKmKKr2+vgQYIbRc5NOjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0gBGQwYjBgBgwrBgEEAYYOAQIBAwEwUDBOBggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdhbC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMHoGA1UdHwRzMHEwNqA0oDKGMGh0dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zX0NBLmNybDA3oDWgM4YxaHR0cDovL2NybDIubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zX0NBLmNybDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zX0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AubmV0c29sc3NsLmNvbTAjBgNVHREEHDAaghh3d3cubXliZW5lZml0Y2hvaWNlcy5jb20wDQYJKoZIhvcNAQEFBQADggEBAIexaq/s8Yaqdy8rU1A6HwSuFTh+iYVrnmOnQf9rgO91rKglXAyL7G6o4IzESP1txOrGGDu6H+6kQOPbKKLLw+VHDD0gLayOkVr57BV+7KL7CuhG0s/hDP+25AFNGv1Q5ZbERqFzQgLQ9KQ9s9pjpPqZlKMA8oeZzwGIh8JYe1CYdf5G84e0y1SKzQkJ62Y+ajjxVb5hZMddyE3dYj5om0k411CDHtIOfFZFTsHbKhtt9cRY5e4Ub6Nc0dtTXW4YNbP3TR+Xrpv9qqa3s37gBx+rp1IOyU5h/tGjGr/lo60gXGfuhA+puykpH9YY/oqmr1cjOyWsync12MZgUJ49O/Y=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
Status should always be set to Success for Identity Provider-Initiated SSO:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
The Assertion element contains information about the SAML assertion; that is, the authentication information you send to BenSelect:
|
Element |
Attribute |
Required |
Type |
Description |
|
Assertion |
ID |
Standard |
String |
GUID you define as part of the standard SAML response. Not used by BenSelect. |
|
Assertion |
IssueInstant |
Yes |
DateTime in UTC |
Marks the beginning period during which the assertion is valid. It is typically the time you built the SAML XML. All IssueInstant attribute values in the SAML should be the same. |
|
Issuer |
|
Standard |
String |
A unique and distinct value that identifies you in SAML messages. |
|
NameID |
|
Standard |
String |
A unique and distinct value that represents the authenticated user. This is the Employee ID on the case. Same as EmployeeIdent used by the Selerix data model. The employee must already be defined on the case to be recognized by the system. |
|
SubjectConfirmationData |
NotOnOrAfter |
Yes |
DateTime in UTC |
Defines the expiration of the assertion. This should be later than the value defined for IssueInstant. This SAML example sets the period during which the assertion is valid to one hour. |
|
SubjectConfirmationData |
Recipient |
Yes |
String |
The unique login URL provided to you by Selerix. |
<saml:Assertion Version="2.0" ID="dafcd9b9-a583-4d71-bfba-e5f6d902b45b" IssueInstant="2017-03-29T18:37:04Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>BenefitEnrollmentServices</saml:Issuer>
<saml:Subject>
<saml:NameID>010449</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-03-29T19:37:04Z" Recipient="https://benselect.com/Enroll/Login.aspx?path=BES" />
</saml:SubjectConfirmation>
</saml:Subject>
The Conditions element defines the intended recipient of the SAML and a time frame during which the SAML assertion is valid. This validity interval prevents the SAML from being used again, in particular by unauthorized users:
|
Element |
Attribute |
Required |
Type |
Description |
|
Conditions |
NotBefore |
Yes |
DateTime in UTC |
Set to a value that is earlier than the IssueInstant. This is one of the attributes that defines the period during which the assertion is valid. This value should be the same wherever it is defined in the SAML. |
|
Conditions |
NotOnOrAfter |
Yes |
DateTime in UTC |
Set to a value that is later than the IssueInstant. This is one of the attributes that defines the period during which the assertion is valid. This value should be the same wherever it is defined in the SAML. |
|
Audience |
|
Standard |
String |
Defines the SAML recipient. This value is not used by BenSelect. |
<saml:Conditions NotBefore="2017-03-29T17:37:04Z" NotOnOrAfter="2017-03-29T19:37:04Z">
<saml:AudienceRestriction>
<saml:Audience>Selerix</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
The AuthnInstant attribute of the AuthnStatement element, a DateTime in UTC, should be the same value as IssueInstant defined elsewhere in the SAML:
<saml:AuthnStatement AuthnInstant="2017-03-29T18:37:04Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
All applicant data, regardless of the delivery medium (SAML or SOAP) must be contained in a Selerix Transmittal. Because the transmittal is a separate XML container, to prevent XML parsing issues the transmittal must first be converted before it is injected into the SAML. This is accomplished by replacing the open and close tag characters, '<' and '>' with their respective HTML Entity Codes '<' and '>' as shown in the example.
<saml:AttributeStatement>
<saml:Attribute Name="Transmittal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>
<?xml version="1.0" encoding="utf-8"?>
<Transmittal
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Agents>
<Agent ID="NWB0NL82" Type="Agency">
<FirstName>Iona</FirstName>
<LastName>Ford</LastName>
<Number>NWZ0NZ88</Number>
<Split>0</Split>
<EnrollerType>CallCenter</EnrollerType>
</Agent>
</Agents>
<Applicants>
<Applicant ID="010449" EmployeeID="010449">
<Address>
<Line1>8135 Brighton Early</Line1>
<City>McKinney</City>
<State>TX</State>
<Zip>75075</Zip>
</Address>
<PhoneHome>1231231234</PhoneHome>
<Email>ghnopayne@slavamail.com</Email>
<SSN>123-12-1234</SSN>
<FirstName>Leslie</FirstName>
<LastName>Payne</LastName>
<Sex>Female</Sex>
<Employment>
<HireDate>2017-01-10T00:00:00</HireDate>
<EligibilityDate>2017-04-01T00:00:00</EligibilityDate>
<Title>Tuba Player</Title>
<Department>Symphonics</Department>
<Location>Uptown Center</Location>
<PayGroup>Biweekly</PayGroup>
<Salary>76543.00</Salary>
<HoursPerWeek>40</HoursPerWeek>
</Employment>
<LegalStatus>Employee</LegalStatus>
<Relationship>Employee</Relationship>
<BirthDate>1982-03-30T00:00:00</BirthDate>
<UserID>487662-89</UserID>
</Applicant>
<Applicant ID="780dcc7a-f6c2-4017-8109-317b48a4b3dd"
UniqueID="780dcc7a-f6c2-4017-8109-317b48a4b3dd" EmployeeID="010449">
<SSN>321-32-3210</SSN>
<FirstName>Moe</FirstName>
<MiddleInitial>R</MiddleInitial>
<LastName>Payne</LastName>
<Sex>Male</Sex>
<LegalStatus>Spouse</LegalStatus>
<Relationship>Spouse</Relationship>
<BirthDate>1977-02-01T00:00:00</BirthDate>
</Applicant>
<Applicant ID="7dda9e16-0b78-42e4-b26b-d867869fcce0"
UniqueID="7dda9e16-0b78-42e4-b26b-d867869fcce0" EmployeeID="010449">
<FirstName>Harley</FirstName>
<MiddleInitial>A</MiddleInitial>
<LastName>Payne</LastName>
<Sex>Male</Sex>
<LegalStatus>Child</LegalStatus>
<Relationship>Child</Relationship>
<BirthDate>2012-05-28T00:00:00</BirthDate>
</Applicant>
</Applicants>
</Transmittal>
</saml:AttributeValue>
</saml:Attribute>
Attribute elements are defined in the SAML standard to provide a way to attach additional information in the form of a name-value pair. SAML attributes are the means by which the SAML authentication standard extends itself to that of a data transmission envelope, and Selerix uses it as a way to embed applicant and enrollment information in the SAML. In addition to the Selerix specific attributes defined below, you may use custom SAML attributes to embed any additional information you wish. If BenSelect does not recognize a particular attribute it is simply ignored. Values in green identify Selerix proprietary attribute names. Set the orange values as appropriate for your enrollment case and the type of information you are transmitting to BenSelect.
|
Element |
Attribute |
Required |
Type |
Description |
|
Attribute |
GroupNumber |
Optional |
String |
A string that uniquely identifies your enrollment group. |
|
Attribute |
EnrollerID |
Optional |
String |
ID BenSelect uses to identify the enroller associated with the enrollment. |
|
Attribute |
SAMLReturnUrl |
Optional |
String |
Defines the URL to which BenSelect should redirect the user once the enrollment is complete. BenSelect posts the enrollment data in the return SAML using a Selerix transmittal attribute to this URL. |
<saml:Attribute Name="GroupNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>YourGroupIdentifier</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="EnrollerID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>NWB0NL82</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="SAMLReturnUrl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>https://www.YourReturnURL.com/SSOResponse.aspx?vendor=Selerix</saml:AttributeValue>
</saml:Attribute>
If an optional KeepAliveUrl attribute is defined in the SAML, BenSelect will post a signal to this URL periodically to indicate the enrollment is still in progress and the session should remain active. When used, also include a value for KeepAliveTimeout which specifies the interval in milliseconds to signal the "keep alive" site.
<saml:Attribute Name="KeepAliveURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>http://YourKeepAliveURL.com/KeepAlive.aspx?SSOID=2112</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="KeepAliveTimeout" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>3000</saml:AttributeValue>
</saml:Attribute>
With the exception of the Enroller attribute, the SAML attributes below allow you to control specific user interface elements of a BenSelect enrollment. These have the same effect as arguments in a BenSelect SOAP enrollment URL. Most attributes listed below expect a value of either "yes" or "no" as shown in the examples.
|
Element |
Attribute |
Required |
Type |
Description |
|
Attribute |
Welcome |
Optional |
String |
Display the introductory "Welcome to the enrollment" page. |
|
Attribute |
PersonalInfo |
Optional |
String |
Display the family's demographic information and allow the applicant to change information before enrollment begins. |
|
Attribute |
BenefitSnapshot |
Optional |
String |
Display the benefits in which the family is currently enrolled before enrollment begins. |
|
Attribute |
Review |
Optional |
String |
Display a confirmation page after each plan enrollment. |
|
Attribute |
FirstPlan |
Optional |
String |
Defines the first plan that BenSelect will show when enrollment begins. Set the AttributeValue to the plan tag name defined on the case. |
|
Attribute |
Enroller |
Optional |
String |
Indicates that an enroller is involved with the enrollment. |
|
Attribute |
TopMenu |
Optional |
String |
Display the BenSelect main menu. |
|
Attribute |
Sidebar |
Optional |
String |
Display the enrollment status panel typically displayed on the right for each plan in the enrollment. |
|
Attribute |
HeaderAndFooter |
Optional |
String |
Display the information typically displayed above and below the main enrollment body of the page. |
<saml:Attribute Name="Welcome" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>yes</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="PersonalInfo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="BenefitSnapshot" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Review" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>yes</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FirstPlan" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>TMK_UL</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Enroller" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="TopMenu" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Sidebar" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="HeaderAndFooter" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>no</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>