About SAML v2.0 Request

A SAML v2.0 Request is sent from a SAML Service Provider (SP) and initiates a SAML v2.0 response at the MTS IdP.

As the majority of integrations use products or code libraries that comply with the OASIS SAML v2.0 standard, developers should focus on the RealMe requirements that differ in some way from the OASIS Standard or have additional NZ specific constraints.

The following list of the key RealMe SAML message request parameters highlights the ones that are most likely to need close attention. Refer to RealMe request parameters for more detail.

1. Issuer - identifies which Service Provider has sent the AuthnRequest. This should conform to the recommended RealMe three-part format used for entityID in the metadata.
2. Format (within NameID policy) - the RealMe assertion service format is "transient", but "unspecified" is also permitted in the request.
3. RequestedAuthnContextClassRef - this tells the IdP what level of authentication can be used. RealMe uses custom values; for assertion, the value is always: urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength
4. AssertionConsumerServiceIndex - this indirectly informs the IdP where to return the AuthnResponse according to the corresponding values in the SAML metadata including the SP endpoint.
5. RelayState - this optional parameter may be provided for private use by the Service Provider to maintain the session state. It must not exceed 80 bytes in length and should be integrity protected by the Service Provider.

The signature is generated by signing the base64 and URL encoded request combined with the RelayState (if present in the assertion request) and the URL representation of the signature algorithm. A sample SAML v2.0 assertion request is shown below.

SAMLRequest=fVLbitswEP0Vo3fHl6yXdIgDIaElsNuW9dKHvgl5kghkSdWMt8l%2BfaV0XQxd9kkwOodzmVmTHIyH7chn%2B4S%2FRiTOLoOxBOmjFWOw4CRpAisHJGAF3fbxAepFCZIIA2tnxYziP%2Bb44NgpZ0S2ndg7Z2kcMHQYXrTCg%2B3x0opSZPtoRluZMK04M3uCohiYFgGlGXBxci%2B8sK9pVHTdt%2FTmuvciO%2BxbIVeru7qWsm9Uv8SmaY6rpizL5V29On66b6qIIhqjGrG03Iq6rOq8qvL6%2FrlcQrOEqvkpsh8Y6CYfvYvNOgWEGy9sJkNx5g3m5At5QquuhfS%2BWhdz6PpvyV9jG4f9d2e0umZbY9zvXUzC2AoOI4rsswuD5I%2F7SxPd58cbFDhISxotR2%2FF%2FyKT8Ntisb%2BtOfbNeOFs5wYvg6YUDy9S8RRwjtqZuOUnPG6SKftqIJUOWjEQ9wQyQaFHb9x1iD7gy0M3OxAFKvFjhkfXdxzQnvj81s27KlOKdx3%2F%2B51f6%2BYP&RelayState=SzQzTjK0NDCxMDVITTY2N0gxNTAwMTFPMzROS0o0MDAAAA%253D%253D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=SG%2FxzKbR4J%2FdydnCa6QjBUtABJk%2BuoB1x9ho827hgnBFz9sx80OnyX0XI0fk3Xjyz1lI8uNs9e8BR8w%2BSXxAPf%2FNNaOOuk47ES7aa37dQKks16iPhIpXUm76T6hAMCa8RkoQJp0316iNgqN5OyN8HMC8zvebMtimEnET2yeuMe1lw%2BE%2BHdbO%2BWFdBDmyZWDY2KddoxYzwltwnSJWct5fr0se1McxYJ7i6Y%2BrEIfjKzLP%2BUtV%2B3XiJkYrLN8E78AlTYY9yAjqSi0YtZuPaanGUIhN3AulyaYBXSv%2Bm%2FAVjAdpcrQbnGY0lndj9jR91r%2B3JlBlRUYY5gKrk8GX05QrcQ%3D%3D

You can submit the content of the SAMLRequest here.

Or send a request directly from your browser by appending your SAML Request to the MTS endpoint (as provided in the RealMe assertion service IdP metadata file).

Once your SAML v2.0 assertion request passes successful SAML v2.0 messaging validation, schema validation and signature validation, you are redirected to an outcome page, so that you can initiate a SAML v2.0 response.

If your SAML v2.0 assertion request does not pass validation, the relevant error messages are provided to assist you in resolving the error, so you can try again.