SAML assertion example

This topic refers to functionality that is only available to accounts on the Quick Base Platform or Quick Base Unlimited plans. If you do not see the functionality described here, either your account or realm has not been configured to show it, or your account is not on one of those plans.

The SAML assertion (packet of security information) should be properly formed, and contain attributes (NameID, FirstName, LastName, EmailAddress, and X.509 public certificate file) that validate the origin and the contents of the information. Either the entire message or the assertion must be signed.

The following is an example of a SAML assertion response to a newly provisioned Quick Base ID:

Best practice: For the strongest security, Quick Base recommends signing the entire message.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_c7cb47c9-d4dc-4535-b7d9-7e0cb50c1d64" Version="2.0" IssueInstant="2011-03-23T21:54:50.415Z">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.acme.com/SAML2IdentityProvider/</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#_c7cb47c9-d4dc-4535-b7d9-7e0cb50c1d64">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
                    </Transform>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>i17i0FeuWOQE1RQd2DgJhN2Q8A4=</DigestValue>
            </Reference>
        </SignedInfo>
  <SignatureValue>KqzSp8jCK7LEAg6wqLAGYGDqwB1B4O6LRpqYcY1kH8yIDOyKFt9pu2pA3glxXN516dtg5VrmrJLxxE9G7zDxZbgyUOuHU1sg+WcNDqV0l3zIdCYZViPRmwpJSwQ5ljrI+GE22zPi8go0GCpvvSetc2p0b6BaApJp9Fw9wbY1tUU=</SignatureValue>
        <KeyInfo>
            <X509Data>
<X509Certificate>MIIBnjCCAQcCBEbTmdAwDQYJKoZIhvcNAQEEBQAwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb20wHhcNMDcwODI4MDM0MzEyWhcNMTcwODI1MDM0MzEyWjAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo31q3mJZayXfZkLDuLcnanc/KG+RDFW+OlYDP+RubvWnt8X5jtiUTcp8IQ46TNEUFskmsonUb5AnG+zOCcawb2dJr8kBtCNhfi/TufZGBQNjuAxNMi34yIgRdGinaznHgclrAIIZTyKerQqYjPL1xRDsFGpzqGGi/2opzN8nV5kCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBmNwFN+98aybuQKFJFr69s9BvBVYtk+Hsx3gx0g4e5sLTlkcSU03XZ8AOet0my4RvUspaDRzDrv+gEgg7gDP/rsVCSs3dkuYuUvuWbiiTq/Hj4EKuKZa8nIerZ3Oz4Xa1/bK88eT7RVsv5bMOxgJbSEvTidTvOpV0G13duIqyrCw==</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_a1a85cc6-8c19-4036-b868-9dee488dcaad" IssueInstant="2011-03-23T21:54:50.415Z">
        <saml:Subject>
            <saml:NameID>/lfrAes2Dgknvm8vVQ4/eGwCJq+KbDC0gBbQH/Z/BSc=</saml:NameID>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2011-03-23T21:54:50.415Z"/>
        <saml:AttributeStatement>
            <saml:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>first_last@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>First</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>Last</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

NameID

Quick Base uses the NameID field to match the assertion with a specific user. The value in the field is the UID of the user, which the IdP provides to Quick Base in the SAML assertion. The UID must be unique to an employee/user and must remain associated with the same user.

Once Quick Base has parsed the SAML Assertion, and verified its contents, the user will receive a temporary Quick Base cookie set on his/her browser, and be redirected back to the Quick Base home page.

X.509 public certificate file

The IdP provider's X.509 authentication certificate file is used to sign the SAML assertion before sending it to Quick Base.

Note: The file must have a .cer file extension.

AttributeStatement

Quick Base uses several required user fields to identify, update, or provision the user in our system.  

Note: New users authenticated by the IdP through SAML are automatically provisioned in the Realm Directory as Approved.  

These fields are required with every SAML Assertion as SAML Attributes. User information in Quick Base is always updated with information sent in the latest SAML assertion. This ensures consistency and accuracy of the user information in Quick Base.

Field Description

SAML Attribute Name

Required

Notes

Email address

EmailAddress

Yes

  • Used to map SAML assertion to an existing Quick Base user in your realm, or create a new user in Quick Base.

  • Must be unique at any given time.

  • Quick Base user profile will be updated if this changes.

User's first name

FirstName

Yes

Used to create/update user profile in Quick Base.

User's last name

LastName

Yes

Used to create/update user profile in Quick Base.

Setting SAML timeout session time

Quick Base SAML assertions support the certificate NotOnOrAfter attribute so IdP providers can control user session time.

You can control the session timeouts through the NotOnOrAfter attribute of your X.509 certificate or through the Quick Base Admin Console, on the Policies page.

If your certificate contains the NotOnOrAfter attribute, Quick Base uses that attribute for the session timeout. If not, then Quick Base uses your realm policies. If the realm-defined policies have not been set, Quick Base follows the default configuration of 720 minutes.

Related Topics: