1. No category

DTV-IdP-Authentication ExternalIntegration

Confidential – Partner
July 17, 2009
DTV-IdP Authorization
Authentication Specification
Published by
Sep 15, 2009
Version 0.1
Document Identifier:
DTV-IdP-Authentication-ExternalIntegration-0.1
DIRECTV Confidential
This document contains proprietary information and
except with written permission of DIRECTV such
information shall not be published and this document
shall not be duplicated or distributed in whole or part.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Confidential – Partner
July 17, 2009
REVISION HISTORY
Date
Author
Kapil Chaudry, Jin
Chung, Uday Ravuri
Deena Gurajala
Description of Change
Initial release
Added support for HTTP Redirect/HTTP POST Binding as per
SAML 2.0 Specification
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Confidential – Partner
July 17, 2009
Table of contents
1 Introduction ...................................................................................................................... 1
Disclaimer ....................................................................................................................... 1
2 Overview .......................................................................................................................... 1
2.1 Authentication/Authorization for Service Providers ............................................ 1
3 Authentication .................................................................................................................. 2
3.1 The Authentication Process ...................................................................................... 2
3.2 SAML based Authentication..................................................................................... 5
3.3 Authentication Request ............................................................................................. 6
3.3.1 Sample Request Details ..................................................................................... 6
3.3.2 Authentication Response ................................................................................... 8
4 SP features required for Authentication ......................................................................... 16
5 Common Domain Cookie Support................................................................................. 16
7 Error Codes .................................................................................................................... 17
8 References ...................................................................................................................... 17
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Confidential – Partner
July 17, 2009
1 Introduction
This document describes the process to interface with DTV-IdP to access Directv’s
services. It is intended for Partners (Service Providers) who want their web-based
applications to access Directv’s services on behalf of users, using DTV-IdP’s
Authentication and Authorization services.
Disclaimer
DIRECTV makes no representations, express or implied, that use of the technologies
described in this specification will not infringe patents, copyrights, or other intellectual
property rights of third parties. Nothing in this specification should be construed as
granting permission to use any of the technologies described. Anyone planning to make
use of technology covered by the intellectual property rights of others should first obtain
permission from the holder(s) of the rights.
This specification is subject to change without notice. DIRECTV does not accept any
responsibility whatsoever for damages or liability, direct or consequential, which may
result from use of this specification or any related discussions.
2 Overview
DTV-IdP is a standalone SAML 2.0 compliant Identity Provider solution which
bundles all the security and identity related components necessary to enable partners to
communicate with service providers native to Directv security domain. We use an eventbased model to receive process and respond to HTTP and SOAP-based messages and
manage connections in Single Sign On fashion (SSO).
2.1 Authentication/Authorization for Service Providers
Every time a consumer tries to access web content through a service providers
that requires the user to have a Directv account , it has to first authenticate the user
against the DTV-IdP’s Authentication service. Upon successful authentication, the web
application receives a SAML assertion from the DTV-IDP Authentication service. If the
Service Provider (SP) needs explicit authorization for the user requested resource, then an
authorization request containing a SAML Authorization Decision Query is sent via
SOAP over HTTPS to the DTV-IdP Authorization service.
The following diagram illustrates this process.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 1
Confidential – Partner
July 17, 2009
Authentication
1. Authentication
HTTP Request
4. Redirect with
eToken
2. login page
USER
DTV-IdP
Authentication
3. login and
Approve/Deny access
Service Provider’s
Web Application
Token Validation
SAML Soap request
with Token
DTV-IdP
Authorization
SAML Assertion
based on ACL
Access
Conrol
Logic
(ACL)
Authorization
Figure 1.1 Authn/Authz for SPs
3 Authentication
Web applications that need to access services hosted by Directv or protected by the user’s
Directv account can do so using DTV-IdP’s Authentication service. Before using, verify
that the Directv’s service to be accessed supports the DTV-IdP’s Authentication service.
3.1 The Authentication Process
There are three entities involved in a typical Authentication Service Providers, DTV- IdP,
and the user. The following diagram illustrates the sequence:
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 2
Confidential – Partner
July 17, 2009
3
Request CDC
info
web browser
user
http://service.provider.com/videos
1
User attempts to access
URL on page hosted by
Service Provider
content protected
by directv account
2
Request
goes to
SP
4
Respond
with
DTV-IdP info
SP
(back end
application)
10
Grant Access to
content based
on Assertion
Assertion
Consumer
Service
5
SP sends a
SAML <AuthnRequest>
to DTV-IdP
(HTTP POST/HTTP Redirect)
9
Resolve
Authorization for
content:
SAMLAuthzDecnQuery/
SAMLAuthzAssertion
(SOAP over HTTP)
6
Resolve any CDC
info
https://directv.idp.net/login
DTV-IdP
Common Domain
Reading/Writing
Service
Not successful
8
<Response>
containing SAML
Assertion
with Token Set/Update
cookie
(HTTP POST/
HTTP Redirect)
successful
DTV-IdP
Enter directv
login credentials
username
7
Authenticate user
password
Fig 1.0 DTV-IdP Authentication Flow
The flow starts when the user attempts to access a resource on Service provider’s site that
is protected by Directv specific login credentials.
1. The Service Provider does not have a valid Directv Token for the user in the
corresponding security context.
2. Service provider identifies the ID provider for user Authentication (SP can use
DirecTV IDP Discovery service).
3. The SP sends a SAML <AuthnRequest> using HTTP POST or HTTP Redirect
binding to DTV-IdP’s Authentication server via HTTPS. Within the request is the
information from Step 3 referenced as additional attributes.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 3
Confidential – Partner
July 17, 2009
4. The DIRECTV IDP will validate the message format for required data and digital
signature. It also validate the age of the request. If it is older than 5 seconds (it is
configurable), we will reject the message. The age of the message is determined
from the value of attribute IssueInstant of the AuthnnRequest Element.
5. The DIRECTV IDP Authentication service tries to resolve any Common Domain
Cookie specific info from Request.
6. If the Common Domain Cookie information is resolved within the security
context of DTV-IdP, then a corresponding SAML Assertion with a SPID, Token
(Site Specific) and UUID is sent to the Service Provider. DTV-IDP
Authentication Service also calls Cookie Writer Service to set/update the common
domain cookie.
7. If the Common Domain Cookie information can not be resolved within the
security context of DTV-IDP or if it is invalid, then the user is redirected to the
login page.
8. This login page prompts the user to enter their Directv specific login credentials.
If the user enters valid login credentials and signs in, the user is granted access.
9. If the user is denied access, they are directed to a Directv login page rather than
back to the Service Provider (TBD).
10. When the user is granted access (i.e. successful login), the Authentication service
will call Common Domain Writing Service to create/update the Common Domain
Cookie (CDC) in the user’s browser and then redirects the user back to the SP’s
web site. Note: CDC support is explained in Section 4.
11. The authorization flow starts after this if the SP’s web application needs explicit
authorization for the user requested resource.
12. For the detailed flow please refer to the diagram below.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 4
Confidential – Partner
July 17, 2009
10 Initiate
Authorization Flow
(This can be initiated
If user already has
Authentication Context)
Service provider page
1 User Accessing
Restricted Content
on Service Provider domain
http://
content.protectd.idpacct.com
3 return IDP URL
or Default IDP URL
Common Domain Reader/
Writer Services Hosted On
DirecTV (Portable to ANY one
interested in Hosting)
Uses
Browser
9 Send SAML
Assertion Back
with site specific
token with
HTTP POST/
HTTP Redirect Binding
(After Successful
Authentication)
4 Send SAML
AuthenticationRequest
(HTTP Post/
HTTP Redirect Binding)
2 Identify ID Provider
(User Do not have any
Authentication Context)
IDP Discovery Service
8 return
Common Domain Writer
Service
DTV-IDP Authentication Service
6 Authenticate User
7 Set/Update
Common Domain Cookie
(After Successful
Authentication)
User Enters
Credentials
https://directv.idp.net/login
NO
username
5 Does Request
has Common Domain
Token
Attribute?
password
YES
YES
NO
5.1 Is Common
Domain
Token Valid?
3.2 SAML based Authentication
The Authentication API exposed by the DTV-IdP’s Authentication service is based on
the SAML 2.0 standard; specifically, on the "Web Browser SSO Profile."
The SAML profiles and bindings described below are derived from the SAML
specifications detailed in the following open standard documentations:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf
DTV-IdP uses the following SAML profile for its Authentication mechanism:

SP-initiated Single Sign On (SSO) using a POST/Redirect binding for the SP-toIdP <AuthnRequest> message and POST/Redirect binding for the IdP-toSP <Response> message.
Note:
 All Requests to DTV-IdP must be signed using certificates that are pre-registered
between DTV-IdP and the Service Provider.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 5
Confidential – Partner

July 17, 2009
All Responses originating from DTV-IdP to the Service Provider are also signed
in a similar fashion.
3.3 Authentication Request
The format of the <AuthnRequest> is part of the SAML protocol schema defined in samlschema-protocol-2.0.xsd. The Service Provider’s web application makes a request to
DTV-IdP’s Authentication service using HTTP POST or HTTP Redirect Binding as
defined in Step 1 of Authentication process above. The end-point (URL) is defined
below:
https://idp-sandbox-directv.com/authenticate/SAMLAuthRequest
(This URL is just an example)
Note:
1. The <AuthnRequest> MUST be signed by the Service Provider.
2. All communication with DTV-IdP takes place over SSL 3.0/TLS1.0
compatible Https.
The expected parameters are:
Parameter
Description
(required)(case sensitive)(value is base64encoded)Corresponds to SAML
SAMLRequest <AuthnRequest> message of Web Browser SSO profile which makes use
of the "Authentication Request Protocol".
The XSD is based on saml-schema-protocol-2.0.xsd
RelayState
token
(optional) URL containing current state information if any.
(Optional) Used by DTV to verify whether user has already authenticated
with other SP.
3.3.1 Sample Request Details
The URL for the service has not yet been deployed but will follow this convention:
HTTP Redirect Binding:
https://idp-sandboxdirectv.com/authenticate?token=JBGJg12IBn&SAMLAuthRequest?S
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 6
Confidential – Partner
July 17, 2009
AMLRequest=BASE64URLENCODEDELEMENT&RelayState=https://third
party.corp.company.com/viewcontent?video=URL&SigAlg=rsasha1&Signature=JLHW2929HNKw+njllswnjjSHK232+3939HHki=
The request parameter ‘token’ is common domain cookie token. It is part of IDP
Authentication Service URL. This URL set by common domain cookie writer. Token
attribute is an optional parameter. If it is present Authentication Service will validate the
token and issue an assertion containing site specific token. If token attribute is not present
or not valid, we redirect the user to log in page and ask them to provide credentials. After
successful authentication, Authentication Service will issue an assertion containing site
specific token.
Format of BASE64URLENCODEDELEMENT (source: saml-schema-protocol2.0.xsd):
<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
<complexType name="AuthnRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="samlp:NameIDPolicy" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
<element ref="samlp:Scoping" minOccurs="0"/>
</sequence>
<attribute name="ForceAuthn" type="boolean" use="optional"/>
<attribute name="IsPassive" type="boolean" use="optional"/>
<attribute name="ProtocolBinding" type="anyURI" use="optional"/>
<attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
<attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="ProviderName" type="string" use="optional"/>
</extension>
</complexContent>
</complexType>
Example:
https://<ipaddress>:8080/authenticate/SAMLAuthRequest?SAMLRequest=nVNta
9swEP4rQv1sS3ZamojYJawMwpJS6nSMfgmudInVWZInyUnz7ycnTknLGsqMwBx397zcSeOb
%0AV1WjDVgnjc5wElOMQHMjpF5n%2BHHxPRrim3zsSlU3bNL6Sj%2FAnxacR6FPO7ZPZLi1
mpnSScd0qcAx%0Az1kxmc9YGlPWWOMNNzVGE%2BfA%2BkD0zWjXKrAF2I3k8Pgwy3DlfcMI
SWicDuJkmIYfG9IhJcJvIima%0AiNcStCf80Dtx1muMprcZXiol0jQNgXMtTLXzpfYZTikd
Rd25XCTXbDBiyVV8Ta%2BeMPp5tBvk4YM5%0Atu%2B1J67OmyqPVjAq7u%2Bt2UgBohNDD1
%2BK868aGpMTAb2aon1%2BAe7%2FQ857gDDolbSq7FJoDr4y4p9A%0AHQZXrDK1ABuZVfQb
dmegbktf9tpenXzb3Xa7jbeD2Ng1CcNPyK%2F5rOAVqDKS%2B6VwwCjUM79rIMN7%0A8B%2
Bwm%2BqV%2BQi%2BCBWBX7hjQc8m3CdklNARCTXCyfXFW%2Bdd8Jf7cFuXh1kvm%2Fa5ljy
YG5OTimPQEeX9%0AOj5xfSb9IdWH719N%2Fhc%3D&RelayState=http%3A%2F%2Ftest.c
om%2Fvideo&SigAlg=rsasha1&Signature=NJsrNfkWl3JehGy6avRVfPul3ItU8Kt1uEyEBOjqjiyQ94gHaahFzald
A3S%2B1CqsypToPG7QqA0p%0AQKcgt5Uc2YaY8BiKyCLhQm8qAHbsDOqc074qDnZFAc2sEZ
SSyy3j34eUsBYEqBz7Rqz22GH9dAH7%0Ap4XanaPP1SjtP0au610%3D
Sample SAMLRequest element prior to base64 encoding:
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 7
Confidential – Partner
July 17, 2009
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://10.23.182.23:8080/dtv-idpclient/consumeAsrtn" ID="_mmd222" IssueInstant="2009-0904T17:39:15.705Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
SPProvidedID="00000002">http://10.23.182.23:8080/dtv-idpclient/</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holderof-key">
<saml:SubjectConfirmationData
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>test_server_publickey</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</samlp:AuthnRequest>
The service provider has to send site id as value of SPProviderId attribute of <SAML
Issuer> Element. If Service provider does not have site ID yet, Service provider has to
register with DirecTV and receive a site ID. It is a mandatory attribute for us.
3.3.2 Authentication Response
The response from DTV-IdP is a Signed SAML Assertion contains two (2) attributes.
The SAML assertion attributes:
1. Token the DTV-IdP specific unique key for the user as an attribute with
name as eToken
2. SP-ID the Site Id (DTV-IdP’s internal representation of the Service
Provider) as an attribute with name the as SPID
3. UUID the Directv Account Id (DTV-IdP’s internal representation of the
User). It will be sent as the nameId element under Subject.
The validity of the Token and its features are mentioned in the Token Validity Section
below.
Sample Response URL
https://<ACS_URL>/SamlArtifactConsumer?SAMResponse=<RESPONSE>&RelayState=h
ttp%3A%2F%2Fpgws.directv.com%2Fa%2Fgetlistings&SigAlg=rsasha1&Signature=22bkwjdhsbw1278t2wbbgwqdg138e63bvdq+27621qwjg==
Sample <RESPONSE>
SAMLResponse=zVXbcqJAEP0Va%2FbRUm5qhBJSKjFLDMYL3vKS4jIoK8wgM4jm63dQScUk
ZvO4FC893af7nEPX0Lrd%0AR2FpBxMSYKQCocqDEkQu9gK0UsHU6lWa4FZrETsKY2UMSYwR
gSWGQUQ5HqogTZCCbRIQBdkRJAp1%0AlUnbfFTEKq%2FECabYxSEoGboKDHs7SsjirnPPYk
JSaCBCbURVIPK8XMnfmiXcKHVeEfiqxNeeQWlW%0AUGPtQEFkQm2aksuoiz1YmtlhCr%2Bn
RI7VyiR1XUgI4LQW97mp0iYEJpQNfqf1%2B752gThpXb1a8W%2BP%0APmDrZ1qbX2tVjthE
W1MaE4XjPLirBF5c9ejOhVUXRyf2RdkJM0mdP9Cl52jAqBp6qYeTyGbj9amh%0AA820lpI5
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 8
Confidential – Partner
July 17, 2009
UtUz%2FFRzCe9i5Ac5JnfBhHSNvS8dyMW7kbLGoQeTCvYrG3go2PfhwUA%2Bft9Kt6ltHWK
o%0AtTxS5M8me0QFuVCmM8uyaiZVcbLimF88x8scq%2FFIsPoFCmROWqOQ0BfmPFvhlzh1w
sB9YfNb3LuS%0AIsgnnb%2F298S4azZ8SBW7QmkSOCmF%2BQbBCKJPiVLOQwWTYW79h9xxZ
c8G7K8ZIHAL83HirmFkg7fa%0A4N%2FFleC4dS5kKBIolMlTwZ6tMxuOVkDjT4941nVJSvt
4ekUWtPAGov9LmHM%2FqolPB2TIgekGZkeQ%0At97I2jq4E9bd%2B0waiw%2BovLEltNbXg
6y96nI934mhN27Om4IvTf3O8s4ncGGabZmYtdRZreRd%2FalT%0AFn2jLzReF7Uk260Ffrx
syNmj1BnupUUXh3oZybpvGv25bxidmVmz%2BoP5dDYW8U1tWnaWwSJa9J7R%0AqLNmlw%2B
cmuFgwyfCovFg4cPW8WqiLByWwkbmys%2FO8tC1rVkzHCZ7PR0LyR8kJCPnpgGDSXIYzafW
%0AOHoViWc%2BNeqyG2F3uBwZdsAtpZss3fz0g3JXN5i7vAffrsniJ6D9BQ%3D%3D&Relay
State=http%3A%2F%2Ftest.com%2Fvideo&SigAlg=rsasha1&Signature=Y1H5Hzy23ImzN59xvfm2K%2BoQ%2Bj76dVfqlm0qsj1DIxuVB3irxGnd
nYsr4jSBwlbmQum%2FHCH8Kre0%0AiCwfvEa0XzoV%2BJcjA%2BK1FuUxFQXXVkGCTfC%2F
F4g6ZU9qnKsMo%2BRE19T1OSno%2BdOF%2B5oiI7F50mIu%0Ax2J6c1gNGXTcnLP8DuA%3D
Sample <RESPONSE> element NOT BASE64ENCODED:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="IaqQrsXEBG" IssueInstant="2009-09-04T17:50:10.304Z" Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="gzTpHdtJoT" IssueInstant="2009-09-04T17:50:10.308Z" Version="2.0">
<saml:Issuer>https://dev-idp.dtvce.com
</saml:Issuer>
<saml:Subject>
<saml:NameID Format="DUID">MTY3MQ==</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-ofkey">
<saml:SubjectConfirmationData
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>test_server_publickey</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="SPID">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
00000002
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eToken">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
bGQ42OynI9iMciMB19qdQTqboBl5cGw3R2Jn+ka3nhDhNwAgC/FfbpedR8W81f3UfBYEfse
XMMA9sM4ubg9v5OB+2fIK16zX4rwvh10RY69wL3BPx3XColD+n9DfMIKWfIIBVM4TKNWUVR
2o74U+bYiXmXFZnQBhceseUMlNk0r1X6JToyqbd4291yY1k9/+ZbYyCaTV8lPrxDuR1rjn1
rQb76eiSryQWUTRmz2sdMO659cmocPYQIai/Y37wuk
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 9
Confidential – Partner
July 17, 2009
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
At this point the Service Provider (SP) gets the Token from the Assertion’s eToken
attribute parameter's value, and sends it to the Identity Provider using SOAP over a
mutually authenticated HTTPS connection, the details of which are described in the
DTV-IdP’s Authorization document: DTV-IdP-Authorization-ExternalIntegration-x.x.doc
HTTP POST Binding: The Assertion element of the SAML Response for HTTP Post binding is
XML Encrypted. The encryption is done using symmetric key encryption. The key used for the
encryption is RSA encrypted using client public certificate. Once the client receives the response,
client can use their private key to decrypt the encrypted symmetric key. After this use the
decrypted symmetric key to decipher the assertion element.
Sample Request POST Data
<input type="hidden" name="SAMLRequest"
value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0
aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJ
vdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovLzEwLjIzLjE4Mi
4yMzo4MDgwL2R0di1pZHAtY2xpZW50L2NvbnN1bWVBc3J0biIgSUQ9Il9tbWQyMjIiIElzc
3VlSW5zdGFudD0iMjAwOS0wOS0wNFQxNzo1Mzo1OC4xNDVaIiBWZXJzaW9uPSIyLjAiPjxz
YW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXN
zZXJ0aW9uIiBTUFByb3ZpZGVkSUQ9IjAwMDAwMDAyIj5odHRwOi8vMTAuMjMuMTgyLjIzOj
gwODAvZHR2LWlkcC1jbGllbnQvPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zO
mRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZElu
Zm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaWcjIj4KPGRzOlNpZ25lZEl
uZm8+aXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+Cj
xkczpTaWdubT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+Y
XR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRz
aWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNfbW1kMjIyIj4KPGRzOlRyYW5
zZm9ybXM+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMD
AwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8ZHM6VHJhbnNmb3JtIEFsZ
29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6
SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8
xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJkcyBzYW1sIHNhbWxwIi8+PC9kczpUcm
Fuc2Zvcm0+CjwvZHM6VHJhbnNmb3Jtcz4KaXN0PSJkcyBzYW1sIHNhbWxwIi8+PC9kczpUc
mFuc2Zvcm0+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn
LzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CjxkczpEaWdlc3RWYWx1ZT5WNzR5OHpQMGJaczE
4djFRc2pDcExxRUlEMjA9ZyNzaGExIi8+PC9kczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlcm
VuY2U+CjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlc
mVuY2U+Z25hdHVyZVZhbHVlPgpTS2dDekd1N3F0TzN2aVhJQmN4RVlGV3hsWmNodEc4bXJy
TStBTkFYUHhRTDlWSFhlNkNaTERiNWJCcExSekZwU3A3Tyt4UGwzc3IwCmFQVVpaWFIzdGF
0SnNiV1hhOXd3aU9Cc1Q3d3BYMThRMlBUbXJMcFFuTU4wYWhKUEh4WUpVZU9MTlRHWithQl
NvL2hMT3VNSm8rN1oKb0JZa0lBVDJocFZ4dzBzUURlQT0KPC9kczpTaWduYXR1cmVWYWx1Z
T4KPC9kczpTaWduYXR1cmU+PHNhVDJocFZ4dzBzUURlQT0KPC9kczpTaWduYXR1cmVWYWx1
ZT4KPC9kczpTaWduYXR1cmU+bWw6U3ViamVjdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmF
tZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE
1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOjIuMDpjbTpob2xkZXItb2Yta2V5Ij48c2Ftb
DpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3Jn
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 10
Confidential – Partner
July 17, 2009
LzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ic2FtbDpLZXlJbmZvQ29uZml
ybWF0aW9uRGF0YVR5cGUiPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm
9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6S2V5TmFtZT50ZXN0X2NsaWVudF9wdWJsaWNrZ
Xk8L2RzOktleU5hbWU+PC9kczpLZXlJbmZvPjwvc2FtbDpTdWJqZWN0Q29udF9wdWJsaWNr
ZXk8L2RzOktleU5hbWU+ZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGl
vbj48L3NhbWw6U3ViamVjdD48L3NhbWxwOkF1dGhuUmVxdWVzdD4=">
<input type="hidden" name="RelayState" value="http://test.com/video">
Before Base64 Encoding the SAML Request
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL=http://test/dtv-idp-client/consumeAsrtn”
ID="_mmd222" IssueInstant="2009-09-04T17:52:11.530Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
SPProvidedID="00000002">http://test/dtv-idp-client/
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1" />
<ds:Reference URI="#_mmd222">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-excc14n#"
PrefixList="ds saml samlp" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>dRj9WltSsAgONHNsZ52osLzKYnQ=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
U22Mo9SDC/PEgCHLGLul/jnED9MhSnJhfL8ue1M6WswTdbfiMAmaWAGKnc8LpsuZJ
+LZ0O8yaJB8Ht48+TLzNSeibDwy03e22ymjqvcJRtYR3dAO//BBKWgv/Wiu/koOBWmP9Le/
XQ4FeiAqFe2XZotLaBDvIcqH0GbclBypkjY=
</ds:SignatureValue>
</ds:Signature>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-ofkey">
<saml:SubjectConfirmationData
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>test_client_publickey</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 11
Confidential – Partner
July 17, 2009
</saml:SubjectConfirmation>
</saml:Subject>
</samlp:AuthnRequest>
Sample Response POST Data
<input type="hidden" name="SAMLResponse"
value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbH
A6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwc
m90b2NvbCIgSUQ9Im5DeEJtZ3lJelMiIElzc3VlSW5zdGFudD0iMjAwOS0wOS0wNFQxNzo1
NTo0Ny44NTVaIiBWZXJzaW9uPSIyLjAiPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0N
vZGUgVmFsdWU9InVybjpvYXNpczpuLjAiPjxzYW1scDpTdGF0dXM+YW1lczp0YzpTQU1MOj
IuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4b
WxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0i
YmtCaWFwQ21TQSIgSXNzdWVJbnN0YW50PSIyMDA5LTA5LTA0VDE3OjU1OjQ3Ljg1NVoiIFZ
lcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vZGV2LWlkcC5kdHZjZS5jb208L3
NhcnNpb249IjIuMCI+bWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6L
y93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbyB4bWxuczpk
cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CjxkczpDYW5vbmljYWx
pemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iMC8wOS94bWxkc2lnIyI+aHR0cDovL3d3dy53My
5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vc
mcvMjAwMC8wOS94bWxkc2lnIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0i
aHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIiB4bWxuczpkcz0
iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIvPgo8ZHM6UmVmZXJlbmNlIF
VSST0iI2JrQmlhcENtU0EiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L
3htbGRzaWcjIj4KPGRzOlRyYW5zZm9ybXMgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3Jn
LzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d
3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIHhtbG5zOm
RzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+CjxkczpUcmFuc2Zvc
m0gQWxnb3JpdGhtPSJodHRwOi8vZy8yMDAwLzA5L3htbGRzaWcjIi8+d3d3LnczLm9yZy8y
MDAxLzEwL3htbC1leGMtYzE0biMiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDA
wLzA5L3htbGRzaWcjIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cD
ovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJkcyBzY
W1sIHhzIi8+PC9kczpUcmFuc2Zvcm0+CjwvZHM6VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1l
dGhvIHhzIi8+PC9kczpUcmFuc2Zvcm0+ZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3J
nLzIwMDAvMDkveG1sZHNpZyNzaGExIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMj
AwMC8wOS94bWxkc2lnIyIvPgo8ZHM6RGlnZXN0VmFsdWUgeG1sbnM6ZHM9Imh0dHA6Ly93d
3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPlUzTWtrelhlODNtT2JUVzgzRi9CdkxvL3kv
ST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo
8ZHM6U2lnbmF0dXJlVmFsdWUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMD
kveG1sZHNpZyMiPgpMMitXVUkvVnJvdW1NZ05uSFRJZFlCTUp6QlJIUEdIOGNOd0ZpZ3V6c
jFEclZSUFoyUDFybU5MM2p5S0wxbC9XdktoMkRpNEU5T2FXCllBNGxDZVJPVUk5YnEwclIx
dTMxVURuZGMyQndXeEtGdWUvdkx3WkQwTTl5Yzk5azZJa05GbWY0eTMrcTZjekZzVk5GdFB
yUDZENkIKb2JEVTAyZmRnUWcrOXZ3eGYzRT0KPC9kczpTaWduYXR1cmVWYWx1ZT4KPC9kcz
pTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJEVUlEIj5NV
FkzTVE9PTwvcmU+c2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRo
b2Q9InVybjpvYXNpczpubDpOYW1lSUQ+YW1lczp0YzoyLjA6Y206aG9sZGVyLW9mLWtleSI
+PHNhbWw6S2V5SW5mb0NvbmZpcm1hdGlvbkRhczp0YzoyLjA6Y206aG9sZGVyLW9mLWtleS
I+dGFUeXBlPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL
zA5L3htbGRzaWcjIj48ZHM6S2V5TmFtZT50ZXN0X3NlcnZlcl9wdWJsaWNfa2V5PC9kczpL
ZXlOYW1lPjwvZHM6S2V5SW5mbz48L3NhbWw6S2V5SW5mb0NvbmZpcm1hdGlvbkRhdGFUeXB
lPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkF0dH
JpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iU1BJRCI+PHNhbWw6QXR0c
mlidXRlVmFsdWUgeG1sbnM6eHM9bDpBdHRyaWJ1dGUgTmFtZT0iU1BJRCI+Imh0dHA6Ly93
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 12
Confidential – Partner
July 17, 2009
d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3J
nLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4wMDAwMD
AwMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpY
nV0ZSBOYW1lPSJlVG9rZW4iPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRw
Oi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3Lnc
zLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Yk
dRNDJPeW5JOWlNY2lNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Q
jE5cWRRVHFib0JsNWNHdzNSMkpuK2thM25oRGhOd0FnQy9GZmJwZWRSOFc4MWYzVWZCWUVm
c2VYTU1BOXNNNHViZ2c5djVPQisyZklLMTZ6WDRyd3ZoMTBSWTY5d0wzQlB4M1hDb2xEK24
5RGZNSUtXZklJQlZNNFRLTldVVlIybzc0VStiWWlYbVhGWm5RQmhjZXNlVU1sTmswcjFYNk
pUb3lxYmQ0MjkxeVkxazkvK1piWXlDYVRWOGxQcnhEdVIxcmpuMXJRYjc2ZWlTcnlRV1VUU
m16MnNkTU82NTljbW9jUFlRSWFpL1kzN3d1azwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3Nh
bWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGl
vbj48L3NhbWxwOlJlc3BvbnNlPg==dHRyaWJ1dGVTdGF0ZW1lbnQ+">
<input type="hidden" name="RelayState"
value="http://test.com/video">
Before Base 64 Encoding:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="nCxBmgyIzS" IssueInstant="2009-09-04T17:55:47.855Z" Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:EncryptedAssertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="_732385b2df8c5246e3487b4e15d25239"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
URI="#_5a75f4ac2a0684834e1af83afb788504"/>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">YVh8NKUiVERxc+gxToqbFdSV
QEDBUNTbywIzZCpZFl+5c7bwLnCYJxEniv9H6R3QBjse+7iz5HXWd6HPRt8+aN2pwByJBOu
W0yNjngDk+kyxEKde4Ak/iWFdzw+27WOkccf+0N8JOjYMZt/KpCJAd6HPRt8+aN2pwByJBO
uW0yNjngDk+AZJe1/i1tw58nYTT1PwD6EB1X5aesSSCsUFos8rOoxoFNMBUfFqJgXPVGtc4
8jnhvVOH0U452iquXkNGDnOGbjP5Oa3caiJWUufRfSfxYQsr4MV4kvcN9mdD0wn1TcL330z
nAc2ROskJKx+F+hKym1eYDnOGbjP5Oa3caiJWUufRfSfxYQsr4MV4kvcN9mdD0wn1TcL330
znAc2ROskJKx+F+2V//2ozlU6+a7GK46SG4/MmKiyMZrFvvSr2IrE+IiVSFWgcN53KvGWtw
Jsol81nl5gRUFd+dnK322ozlU6+EgwG+m1STMwrbuDrypmlnWfIU/WP10a1KrWl1XlU4afM
WmmwCFLkkTIwPhJzZqRS+BIzR8TVdURU+1E6PAYFp7qXnST+LRz9ZWwHNOfuvDEodci3ddm
NKTMXtx6c/srZWQul4mNgvLjN+VXkK0QuuORMoAYFp7qXnST+4gR91uixGHzS/+JXimQfIC
jHK1nbqgI8MnhjR49UIRsK5lHZwTGRu0dtgWVsHGZ0BJvx3VS2AAjS7jrC8C5zd6+NI7vdQ
PtRKZ2IVJPUw+l0SobNr4251J+kbVid0ZiMrQ+jVtOPh8eQr5SQgot78Pwj8C5zd6+NI7vd
QPtRKZ2IVJPUw+l0SobNr4251J+kbVid0ZiMrQ+E6Fb/NCupp2go0bN/dTbjgkc/ZML1Yif
JXYzrnSWETjxPpGrsxjISQnohoHN+blRki1QMpA6Lf6u1o8SrbcsO1eXlgSfbb6MFCZHdcg
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 13
Confidential – Partner
July 17, 2009
usfb3dbpDiFqvI4Y3S0f/X0uSsZj/eTQVYwDZlRX9JIXGm/QwLJUfRQF/9d9xRG4X2Z+7fp
ji+jEH+88RVjjJ4ZADRxOpei57eUuld3wBKrS0fVn2ryEO3gmOOubSXT9a/MLrWosb+/VE3
i87Rpyu8AqenQpzbfEoJJ6EQeod203N7+G48mr4IWQwBaPCgNZibFLkpcGIjwv4DTStvcFS
gfZ+hv9unnBM+G1eIk90VWnJPLmL8mG9cn+6JRQMTS1s7F6jFxYUE0ez72Ypi6P28ot+
n+KIiUqunceV8SYI8jIkgi0RKed2//A/nmZ0Rk7RCIJgBgDeVXrfRvVFsZ91XIzqkrTOESg
ln+w8Dh2n2wDDOvNyO8ZPxAay/k5YEYWfmmj8I7MrcdBt2UrBtH2VzBXHccTUXot8xpWao4
tlojndom0xwXwrQldxuXakK0NHC8ZL2M41qFG44AwiaojT3c7QNrDR1vqdKQ4vW56tokQzv
tbuLAAzp4egbbIKjm6kY1ur65Pb882yPdVBCpy33TVaD3okvey1lD8zutCSV0qQdFnRRJFW
lUPP5FAW4KunVLrTFpWAOA/PJrwQ2Ku0R5ZcPe+Va7dAetAdtXzQTA+7llStiA3of0sC6gf
yMma4bHgqfAetAYXlecIIVOcLYBOLoMqHMUoCZqqdkYWvta09+MYlKftVxztnv/F1Mlgafr
sQE5ButjHf6fMBbopJS2MNDI4lCdOLoMqHMUoCZqqdkYWvta09+QoMjpVjCLlmC07gVDddq
ZKo2f1SpC1uZIQfrFmoyaSFy7JeHNVlLh9zQlLj7AyKqaVqN9zYYcgBezsgziPzS16fQCUr
4sU6v+tNL2vfLqTgAQc+sVngjaw8gHxHz4jLHXFCwk71OdFr0J/O1/jOoIvGiiPzS16fQCU
r4sU6v+tNL2vfLqTgAQc+ULU0WW3Tv+hiicvDAShbMIN/lW3/l923psIdlRh7ChdgUT6rFE
41bFH509cY2OFoePKaNKUJmZNkWW3Tv+ZrenxqIBWgPvLiEIw6g52ueihD5ngH+nNXPcNT4
MC7zRrkDJNowG1fqkMFhrCRk48QSCFDdqpTBVxqIBWgPvLiEIw6g52ueihD5ngH+3HHRILr
y+/q+ygrhj2I96zwRi1MJgo/YIVjvWlXvTzt33jGVJfpxY/oRGdTvR/n6nH2wt8NYkZpIIL
ry+sjC35leci/vmoH488q03uF+NuBkMCbZU4gduR6Cvm7RVmCGw+5wpid5DtEn3jll3YQ5c
nidnzpnNmf+GgVm2wc/dv1d4ZHc7VMXWTguQXs7PQazqqf8G3IQOBu2tEIRPDraSDv0ihSz
i/TenMZh3WoPUHqs/aLqA+hZPmXd5/nkUahqT/CU+8tUEflqjpHp1ruXOFwgeTgLY5ZURSt
ueQEEZoKGrufNPQae/aLqA+FE6PftkizBy1j/jlyjQGSrlXkmzB5k0EdzONKbqqXe0yDfQ9
UJZpVOacXtrHfZxzJdSjjA/HfiokFWFrLmeMx5tK6DtfmoGAdBCkn31DUV5zk0D7qUx9QZS
zZTjTZB6fh9nTvfvJ/S4/vT2FLnf1iUZvq3nqqAgavo9X6SNbLdLDB3qXzSkV1pjKqGez5b
Vna9RKRbKVv+M6cJorpgj0Gqcx2D3DuW3X5DgBqAgavo9X6SNbLdLDB3qXzSkV1pjKqGez5
bVna9RKRbKVv+XDFqCGm4FNbxYKC7k7RNXQQPsR0bXEbcvuBmJ2/ZvUvEiXV9sbYRvx1JUh
jS4M9Gb1Zb3x+7x5TSeS5o/IPMzktgnPOtNIzR9iz5P/B35vs9WafJy+q9F4KitThvLFKu7
eIw9JvupHUw+CIgMa0UqQ9IT6u6Co0nRDLgScLb6bj54xtX4XKGf/Fv2bWOxySeWDBL5zrj
3g4XfoehPmnuwyVt9ikYK4PNIypvM0TnaKsvnExRIHFMDW5dU/IzajzHaMR9+HqvjnUquuu
3NgUFAsIcmtzcCttqK7sT78fP/afsEpRdjE/0NzPySsWhgOwusuH4/P6eFWFQ4pk0fhobgT
CO7Ix7EaeuLJyRSO3Jdl/wm2A0Kv8/CkpsYwta3LC6xVGqEAR+O40WW2hPnKpN1XRfN+nCD
DlDHbM/u1XoW6KI5UjRI8W+tVHd5H3uAS64PWuMpOUtxVGqEAR+O40WW2hPnKpN1XRfN+7a
SDu6kmZ+Rg7ToAErTFA+2spNw8rK0gFgTUvFlJ5yp+iPau+vMAhGcUwR6wBPhcJsih4gLsD
I75u6kmZ+Rg7ToAErTFA+2spNw8rK0gFgTUvFlJ5yp+iPau+M7TdG50ytG8tN8VTRkf4BR3
BGx7QZEO8n73bDiPcLXBMiodWGhrHMz/rXaSZYrwRN72ixONi9W34Ew1lfgUVPwW243EyLw
5UQ4jmDO1bRynLaG1BCLNkumTFp18zVIWcQ8LhFGEQpa+2nJHWYXefngLnfgUVPwW243EyL
w5UQ4jmDO1bRynLaG1BCLNkumTFp18zVIWcQ8LhFGEQpa+fna3YMW9bS8skdUDNZZrQ9LJJ
PJb66n7igiqnWvFl3K3uvoXdp4z/GaTqEJ0dx2dsjdUpVV7zHFkveIX3lqfo4Sh9T3DfsB/
Qtp7jTbmU+H4fPXEN621PZwss2O3kUeI7YRLVqDjDka40yifUHw3drmgwFro
fTcbWwg88FK+S4hrGn/U2IogkNtgfA==
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey xmlns:xenc=http://www.w3.org/2001/04/xmlenc#
Id="_5a75f4ac2a0684834e1af83afb788504">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">ZDkqq44Z64ag5uC25WsaBTe7
ThwOkgwYF7qOPe21OzQQQlvTi9n1hENbrHmDKPqTQr7uc4w/gsW8
ZJzo7w1BOnQ5cTYTLUwfZcKrv/fQyeaoEyRYB8UhfvskiuttZ9qMJPggpB6lTwh5QHeUrtL
PBhlWoMjwvzqJ0zOmO3rH7V4=
</xenc:CipherValue>
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 14
Confidential – Partner
July 17, 2009
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference
URI="#_732385b2df8c5246e3487b4e15d25239"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml:EncryptedAssertion>
</samlp:Response>
Unencrypted Assertion:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="bkBiapCmSA" IssueInstant="2009-09-04T17:55:47.855Z"
Version="2.0">
<saml:Issuer>https://dev-idp.dtvce.com
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Reference URI="#bkBiapCmSA"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xmlexc-c14n#"
PrefixList="ds saml xs" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
U3MkkzXe83mObTW83F/BvLo/y/I=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
L2+WUI/VroumMgNnHTIdYBMJzBRHPGH8cNwFiguzr1DrVRPZ2P1rmNL3jyKL1l/WvKh2Di4
E9OaWYA4lCeROUI9bq0rR1u31UDndc2BwWxKFue/vLwZD0M9yc99k6IkNFmf4y3+q6czFsV
NFtPrP6D6BobDU02fdgQg+9vwxf3E=
</ds:SignatureValue>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="DUID">MTY3MQ==</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-ofkey">
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 15
Confidential – Partner
July 17, 2009
<saml:SubjectConfirmationData
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>test_server_publickey</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="SPID">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
00000002
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eToken">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
bGQ42OynI9iMciMB19qdQTqboBl5cGw3R2Jn+ka3nhDhNwAgC/FfbpedR8W81f3Uf
BYEfseXMMA9sM4ubgg9v5OB+2fIK16zX4rwvh10RY69wL3BPx3XColD+n9DfMIKWfIIBVM4
TKNWUVR2o74U+bYiXmXFZnQBhceseUMlNk0r1X6JToyqbd4291yY1k9/+ZbYyCaTV8lPrxD
uR1rjn1rQb76eiSryQWUTRmz2sdMO659cmocPYQIai/Y37wuk
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
4 SP features required for Authentication
This document does not address the following features they need to be addressed by the
SP:
 Session management for the user in context of the Web Application (Service
Provider).
 The details of maintaining the cookies and their expiration times.
5 Common Domain Cookie Support
DTV-IdP will include support for writing to Common Domain Cookie as specified in
Section 4.3 of “saml-profiles-2.0-os.pdf”. Service Providers would need to read the
common domain cookie to determine if the browser is already has a profile with DTVIdP. The naming convention and the contents within a Common Domain Cookie strictly
adhere to Sections 4.3.1, 4.3.2 and 4.3.3 of “saml-profiles-2.0-os.pdf”. The detailed
specification/documentation about DTV_IDP Discovery Service and Writer Service will
be released later.
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 16
Confidential – Partner
July 17, 2009
DTVIdPRevokeToken: A call to this method revokes the Token. Once a Token is
revoked it is no longer valid. (TBD)
DTVIdPTokenInfo: A call to this method verifies whether a specified Token is valid
and returns data associated with the Token. (TBD)
7 Error Codes
If DTV-IdP’s request fails, you may receive any of a variety of HTTP error status codes
in response. In particular, if the problem is with the account itself (rather than the
authentication token as such), you'll receive one of the following 403 errors:


403 Account disabled
403 Account deleted
If the problem is with the authentication Assertion, following errors will be in response:






401
401
401
401
401
401
Assertion invalid
Signature Verification Failed
Authentication Request does not confirm to the schema.
Assertion disabled
Assertion expired
Assertion revoked
Error responses may also include a DTVIdP-Authentication header, such as the
following:
DTVIdP-Authentication: DTVAuthn realm="https://idp-sandboxdirectv.com/authenticate/SAMLAuthRequest"
That header provides information about how and where to authenticate correctly.
8 References
1. Security Assertion Markup Language (SAML) V2.0 Overview:
http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip
2. Schemas for SAML queries and responses: saml-schema-protocol-2.0.xsd
DirecTV IdP Authentication Specification
DIRECTV Confidential
Do not copy without prior DIRECTV authorization
Page 17

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz