About Saml v2.0 AuthnRequest

A RealMe login service SAML v2.0 AuthnRequest is sent from a SAML Service Provider (SP) and initiates a SAML v2.0 response at the MTS IdP.

As the majority of integrations use products or code libraries that comply with the OASIS SAML v2.0 standard, developers should focus on the RealMe requirements that differ in some way from the OASIS Standard or have additional NZ specific constraints.

The following list of the key RealMe SAML message request parameters highlights the ones that are most likely to need close attention. Refer to RealMe request parameters for more detail.

1. Issuer – identifies which Service Provider has sent the AuthnRequest. This should conform to the recommended RealMe three-part format used for entityID in the metadata.
2. AllowCreate (within NameID policy) - when set to FALSE informs the IdP that the user is in the returning user process and must have previously completed the agency's registration process.
3. Format (within NameID policy) – the RealMe login service format is "persistent", but "unspecified" is also permitted in the AuthnRequest.
4. RequestedAuthnContextClassRef – tells the IdP what type of authentication is required by the SP. The RealMe login service uses custom values, for example:
   urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength
5. Comparison (within RequestedAuthnContext) – the recommend value is "exact".
6. AssertionConsumerServiceIndex - this indirectly informs the IdP where to return the AuthnResponse according to the corresponding values in the SAML metadata including the SP endpoint.
7. RelayState – this optional parameter may be provided for private use by the Service Provider to maintain the session state. It must not exceed 80 bytes in length and should be integrity protected by the Service Provider.

The signature is generated by signing the base64 and URL encoded AuthnRequest combined with the RelayState (if present in the request) and the URL representation of the signature algorithm. A sample SAML v2.0 AuthnRequest is shown below:

SAMLRequest=fVLLbtswEPwVgnfrGUD2whJg2G1hwC2CuMihl4KhVrIAilTJlWPn60sqcaEGQQ68cGc4M8tZO9GrATYjnfQD%2FhnREbv0SjsIg5KPVoMRrnOgRY8OSMJx8%2F0AWZSAcA4tdUbzGWX4nDNYQ0Yaxdnmxt4a7cYe7RHtuZO41zVeSp5wtvNmOi0CpuQnosFBHJ9Fa4WmqCcXWRSqx6g1Z4r0S6xMa%2FTCD2J%2Fvmiy13vTaeJsvyv571Uj8lUh87y4e0qK5mmZrpZFfldn2apu8iz1MOdGL%2B%2FIv1%2FyLEnzRbJcpMufWQ5ZBmnxi7NHtG7y48NwVq1DZJiItnpv0WIjWtTy%2Bt6ot5fFYhjSdTznr1%2F%2F4odf2n53b1Qnr2yjlHneej5hycmOyNlXY3tBn6853HT1opmgMATTjtDvonqV%2FF%2FlpvxWAKynOvh%2FIbwQ25p%2BELZzITVehAyPTLbnqK3ybXjApgqu9IuCkBU6SeCodiACFGoclLn23gd8OxxnRZIgA9%2BHOJjnI1nULZ3elvOhyi3Fh47%2FTeetrv4C&RelayState=a63b1904850ec370d500447f13fba000&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=BU%2FcAITXVuHdU6if1zh8bLCZ%2FU7vm052hAsn1ttw%2FnUwaGHL%2FpwkYLJTOEtcS203efMAucbopvbQwhME3CV4VyQUJIJYIDFI1MItMu94WTjwUS%2FjJRO5PfvTHC3xhwFBM5A0qRgFwrIpQ23bnP9HFBww9fDrNnnE4fmBnjSpWUA%3D

You can submit the content of the SAMLRequest here.

Or send a request directly from your browser by appending your SAML Request to the MTS endpoint (as provided in the RealMe login service IdP metadata file).

Once your SAML v2.0 AuthnRequest passes successful SAML v2.0 messaging validation, schema validation and signature validation, you are redirected to an outcome page, where you can initiate a SAML v2.0 response.

If your SAML v2.0 AuthnRequest does not pass validation, the relevant error messages are provided to assist you in resolving the error, so you can try again.