SAML v.1.1 Elemental Breakdown

This topic describes the elements and attributes that comprise the SAML v1.1 XML template. It identifies which elements are required, the type of data, and distinguishes between Selerix proprietary elements and attributes and those that are part of the common SAML standard.

Several standard SAML values are defined at the top of the SAML XML. Set the orange values as appropriate for your enrollment case and the type of information you are transmitting to BenSelect.

Element	Attribute	Required	Type	Description
Response	ResponseID	Standard	String	GUID you define as part of the standard SAML response. Not used by BenSelect.
Response	IssueInstant	Yes	DateTime in UTC	Reflects when you created the SAML. All IssueInstant attribute values anywhere in the SAML should be the same.
Reference	URI	Yes	String	Should match the ID attribute of the ResponseID attribute.
DigestValue		Yes	String	Base64-encoded value of the 160-bit SHA-1 digest string. See: https://www.w3.org/TR/xmldsig-core/#sec-DigestValue
SignatureValue		Yes	String	Base64-encoded actual value of the digital signature. See: https://www.w3.org/TR/xmldsig-core/#sec-SignatureValue
X509Certificate		Yes	String	Base64-encoded public X.509 certificate used to verify the message signature.

<samlp:Response ResponseID="_4ace8045-32aa-4805-a4f2-e51919c40af1"

MajorVersion="1" MinorVersion="1" IssueInstant="2017-04-07T01:09:33Z"

Recipient="SamlResponse.aspx" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="#_4ace8045-32aa-4805-a4f2-e51919c40af1">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"

xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</Transform>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<DigestValue>feZk610FUF5wHr+1Git4EfsvhhI=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>

cJ0FPDLTW+7vs/pE8zxFSDFRd03VIt2BJnDRpyDNybN7QkHvjPHkq1/6m7HnTiLcI0jEQVDkpqdzW+asd/Kqyq

962MqZcLxAkjLKpkzRuD4pLTTZ7GsByZccKdwVmU8G570ZHjkcc1ajj8mLj4Dm2M/VhBXK+oqd0EaOXchTI0U=

</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>

MIIB5TCCAVKgAwIBAgIQgQAWTFMQ7rZJDOMj3T9bHDAJBgUrDgMCHQUAMBExDzANBgNVBAMTBkNsaWVudDAeF

w0xMTAxMTEyMjQ1MzNaFw0zOTEyMzEyMzU5NTlaMBExDzANBgNVBAMTBkNsaWVudDCBnzANBgkqhkiG9w0BAQE

FAAOBjQAwgYkCgYEAwEHg0tEGceEqBdFr1EUch9vGVTuY8+q3E7W3cu1jL34m3GxTNv2cUJ8dbcsVDQ4nqypBR

7e9nyTR6SPxzsjpEIr7dMPDEaPWEcdBCfAY4eyFHAHJcUT/vw1ShRPtuxbhvVFdp1az/39ujGZRpgduh+S8MCS

x9LBN87EAWNNZskkCAwEAAaNGMEQwQgYDVR0BBDswOYAQLTNwQk+X6LQKOtzxLxvc9qETMBExDzANBgNVBAMTB

kNsaWVudIIQgQAWTFMQ7rZJDOMj3T9bHDAJBgUrDgMCHQUAA4GBAFg7kxL6KuAHpVX0tZXnFQUqja8k/D7xrpk

2bNoAsxEJ8VMcmb2fZEmLlvn4Zb0jqpVVx9bbLvUwCWNusoNbV9ZY/hGdYg+BN/SxjfQ1Z+Ni85R6Ett53ZxKv

/aM92WAIyQarV6FznFwhfDhYeBzoPVKfOcbXp0VOZm+XkCkRfNb

</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

Status should always be set to Success for Identity Provider-Initiated SSO:

<samlp:Status>

<samlp:StatusCode Value="samlp:Success" />

</samlp:Status>

The Assertion element contains information about the SAML assertion and is the main body of a SAML v1.1 message. The remaining elements that follow are members of the Assertion element.

The following attributes define a time interval during which the assertion is valid to combat Man In the Middle attacks:

Element	Attribute	Required	Type	Description
Assertion	AssertionID	Standard	String	GUID you define as part of the standard SAML response. Not used by BenSelect.
Assertion	Issuer	Standard	String	A unique and distinct value that identifies you in SAML messages.
Assertion	IssueInstant	Yes	DateTime in UTC	Marks the beginning period during which the assertion is valid. It is typically the time you built the SAML XML. All IssueInstant attribute values in the SAML should be the same.

<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_c2cef51a-e92b-4390-94dd-9f13d5d00df8"

Issuer="Vendor" IssueInstant="2017-04-07T01:09:33Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

<saml:Conditions NotBefore="2017-04-06T00:09:33Z" NotOnOrAfter="2017-04-06T02:09:33Z">

<saml:AudienceRestrictionCondition>

<saml:Audience>Selerix</saml:Audience>

</saml:AudienceRestrictionCondition>

</saml:Conditions>

The AuthenticationStatement element contains information about the SAML assertion; that is, the authentication information you send to BenSelect:

Element	Attribute	Required	Type	Description
AuthenticationStatement	AuthenticationInstant	Yes	DateTime in UTC	Marks the beginning period during which the assertion is valid. It is typically the time you built the SAML XML. All IssueInstant attribute values in the SAML should be the same.
NameIdentifier		Standard	String	A unique and distinct value that represents the authenticated user. This is the Employee ID on the case. Same as EmployeeIdent used by the Selerix data model. The employee must already be defined on the case to be recognized by the system.

<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"

AuthenticationInstant="2017-04-07T01:09:33Z">

<saml:Subject>

<saml:NameIdentifier NameQualifier="" Format="">131193</saml:NameIdentifier>

<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>

<saml:SubjectConfirmationData>

</saml:SubjectConfirmationData>

</saml:SubjectConfirmation>

</saml:Subject>

</saml:AuthenticationStatement>

Attribute elements are defined in the SAML standard to provide a way to attach additional information in the form of a name-value pair. SAML attributes are the means by which the SAML authentication standard extends itself to that of a data transmission envelope, and Selerix uses it as a way to embed applicant and enrollment information in the SAML. In addition to the Selerix specific attributes defined below, you may use custom SAML attributes to embed any additional information you wish. If BenSelect does not recognize a particular attribute it is simply ignored. Values in green identify Selerix proprietary attribute names. Set the orange values as appropriate for your enrollment case and the type of information you are transmitting to BenSelect.

Element	Attribute	Required	Type	Description
Attribute	GroupNumber	Optional	String	A string that uniquely identifies the enrollment group.
Attribute	EnrollerID	Optional	String	A string that uniquely identifies the Enroller.
Attribute	SAMLReturnUrl	Optional	String	Defines the URL to which BenSelect should redirect the user once the enrollment is complete. BenSelect posts the enrollment data in the return SAML using a Selerix transmittal attribute to this URL.
Attribute	KeepAliveUrl	Optional	String	If an optional KeepAliveUrl attribute is defined in the SAML, BenSelect will post a signal to this URL periodically to indicate the enrollment is still in progress and the session should remain active.
Attribute	KeepAliveTimeout	Optional	String	Used in conjunction with KeepAliveUrl, this value specifies the interval in milliseconds to signal the "keep alive" site.

<saml: AttributeStatement>

<saml:Attribute Name="GroupNumber" AttributeNamespace="">

<saml:AttributeValue>YourGroupIdentifier</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="EnrollerID" AttributeNamespace="">

<saml:AttributeValue>NWB0NL82</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="SAMLReturnUrl" AttributeNamespace="">

<saml:AttributeValue>https://www.YourReturnURL.com/SSOResponse.aspx?vendor=Selerix</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="KeepAliveURL" AttributeNamespace="">

<saml:AttributeValue>http://YourKeepAliveURL.com/KeepAlive.aspx?SSOID=2112</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="KeepAliveTimeout" AttributeNamespace="">

<saml:AttributeValue>3000</saml:AttributeValue>

</saml:Attribute>

The SAML attributes below allow you to control specific user interface elements of the BenSelect enrollment. These have the same effect as arguments in a BenSelect SOAP enrollment URL. Most attributes listed below expect a value of either "yes" or "no" as shown in the examples.

Element	Attribute	Required	Type	Description
Attribute	Welcome	Optional	String	Display the introductory "Welcome to the enrollment" page.
Attribute	PersonalInfo	Optional	String	Display the family's demographic information and allow the applicant to change information before enrollment begins.
Attribute	BenefitSnapshot	Optional	String	Display the benefits in which the family is currently enrolled before enrollment begins.
Attribute	Review	Optional	String	Display a confirmation page after each plan enrollment.
Attribute	FirstPlan	Optional	String	Defines the first plan that BenSelect will show when enrollment begins. Set the AttributeValue to the plan tag name defined on the case.
Attribute	Enroller	Optional	String	Indicates that an enroller is involved with the enrollment.
Attribute	TopMenu	Optional	String	Display the BenSelect main menu.
Attribute	Sidebar	Optional	String	Display the enrollment status panel typically displayed on the right for each plan in the enrollment.
Attribute	HeaderAndFooter	Optional	String	Display the information typically displayed above and below the main enrollment body of the page.

<saml:Attribute AttributeName="Welcome" AttributeNamespace="">

<saml:AttributeValue>yes</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute AttributeName="PersonalInfo" AttributeNamespace="">