SCIM makes an optional 'externalId' attribute available for clients which have a different value for a user's ID than what the SCIM server authoritatively associates with the same user. What if we have a scenario where there are 3+ domains, one containing an IdP which can act as a SCIM server (aka., service provider), the others containing SCIM clients which make use of the IdP. A given user could have accounts in all the domains and each domain may have assigned a different ID to that user. It seems like the 'externalId' attribute could help with one of the client domains, but not any others. Would we have to define SCIM extension attributes to handle the other client domains?
Related
Say you have an IdP that can act as a SCIM server (WSO2 is one -- I would be interested to know if there are others), but SCIM is not currently enabled and it is up and running for a while with user Fred. Fred has a user ID of 31415. Now we decide to enable SCIM on the IdP and a client makes a SCIM query for the users. Will Fred's ID (prominent in the JSON response) be 31415, or would enabling SCIM have caused the IdP to generate additional/new SCIM IDs for all the users? I know for normal, non-SCIM operations, Fred would still be associated with 31415, but maybe for SCIM operations there would be a new ID.
Either approach would be acceptable. I don't know the specifics of any SCIM servers, libraries, etc on how they'd treat it. For simplicity's sake, if possible I'd recommend representing the existing internal ID value of 31415 and using that for the SCIM ID value as well.
This is more of a philosophical/architecture question than "code" question.
Let's imagine that we have 2 applications (Service providers) with Single Sign-On. There is obviously data they have to share, mainly the information of the users (username, email, etc). This data is managed by the Identity Provider and "provided" to the service providers when the authentication is successful (the basics, I guess).
Let's also imagine that these 2 applications have their own database itself in which they match each user retrieved from the IDP but each database has their own info (columns) that only belong to their associated application (not to the other!). But (another but), there are some other fields that both have to access (besides username, email, etc). For example, the first application has a list of available companies and the second application needs that information when creating a new user to associate that user with an available company. How should that data be shared? Is that the best/correct way to create an API to provide this type of info between applications? I'm mostly talking about lists of things that are too big to be sent through assertions.
Thanks in advance!
The SAML way is to use NameID as the "primary key" to map a user in the IDP to a user in the application.
e.g. Email could be sent as the NameID for application 1 and UPN could be sent as the NameID for application 2. These would be in the assertions.
Getting info. between applications is not part of an IDP (other than using assertions) so this would have to be done via API.
I'm working on setting up a service provider that supports SAML. I've added two identity providers - one custom one that I built from SimpleSAMLphp and then ssocircle. So I log in to the selected identity provider, and then it returns to my service provider and I inspect the attributes of the SAML Auth object. The identity provider I built returns whatever I want it to (obviously). The ssocircle one only returns e-mail, first, and last names.
So now to map this to the user of the service provider, I have to use some value the identity provider provides. So this led me to wonder how it should be done. Since ssocircle only gives me e-mail as a useful value, do I just use the e-mail to map to the SP user?
Let's pretend for a second that ssocircle doesn't validate e-mail addresses. So now if I create a second account at ssocircle with the same e-mail, I can log in as my coworker who I know has admin privileges.
So my question is, do I handle this? Or is the onus on the admin who set up the identity provider and say "well you shouldn't have used an identity provider that doesn't validate e-mail addresses!" or something of that nature? Or should I only allow identity providers that pass a certain value, like userid or 0.9.2342.19200300.100.1.1? Is there something that identity providers commonly use?
Well, you said it, two different identity providers. They both should be passing not only the email but different entity ids and certificates.
In multi-tenant applications that would mean two different applications, but if you plan to allow multiple IDPs to point to a single app you will need to ensure that same email but different entityID create two different users and or throw an error after the first was created that the second cannot be provision nor access.
Interesting question. These days people think always of auto federation of users by some attribute. In early SAML federation days federating two unrelated users was a manual step in which a user logs in at the IDP and logs in to the SP providing both sets of credentials and then manually federated these two user accounts. The process guarantees that only the user who has access to the accounts at the IDP and SP controls the linkage between the two. It also allows anonymous naming identifiers (SAML persistent NameIDFormat) which protects privacy because even the IDP does not know the user name at the SP and vice versa.
Unfortunately the process was to complicated for users and with the success of OpenID the aspect was getting less and less important.
To answer your question: What you describe happens in the real world -see Office 365 authentication bypass
You need to check that the IDP is authoritative to send a specific attribute and attribute scope in case of two IDPs.
In case of one IDP the attribute must be verified (SSOCircle verifies email address) and it should better be unique (For example SSOCircle userId) to avoid that two users with the same attribute are mapped to a single user at the SP.
If the userid's are not the same (e.g. you use a simple user ID at the IDP and email address format at the SP) you can still add a correlation attribute at the SP (e.g. an attribute named ssocircle-userid) and use that to link the user accounts.
I'm using SAML for login into my app, I would like to include the user groups in attributes in the login response assertion. I'm wondering if the login request should specify that the attribute is required, or if this is a configuration that needs to be done on the IDP in general, or in the IDP specifically for my service provider.
I've created Identify Provider in OpenAM and have my own APP Service Provider configured in OpenAM as remote SP as well, I've also created a user in OpenAM and assigned it to a group, however, I'm not seeing the group in the response assertion, even when I tried to map the value in OpenAM manually, the memberOf attribute always returned empty.
Any information will be highly appreciated.
Shay
The best answer I have for you, is that there is no good way to share group membership information in SAML2 assertions OOTB.
I would suggest to implement a custom attribute mapper and implement the retrieval of group membership data there, but you will find that the DataStoreProvider interface does not expose group membership related operations, so you would need to directly use the AMIdentity/AMIdentityRepository API in your plugin.
When it comes to group memberships you have a couple of choices:
return the names of the groups
return the DN of the groups
return the Universal ID of the groups (universal IDs are OpenAM's internal unique IDs that is stored in DN format, but it is not the same as the groups DN in the directory server)
The first option would be my personal recommendation as that fits into OpenAM's abstract user data store concept.
I was told that it is possible to give information about group membership during a SAML authentication request. We have to connect to an application that does use SAML (we are at the end that is creating the SAML answer XML). Authenticating a user works fine but I can't find a way to specify a "member of" or similar attribute.
Can you explain to me how to pass group memberships in SAML during authentication or have an example ?
I know there is a possibility to take care of authorization in SAML at a socalled Policy Decision Point. But this would mean that a SAML flow would happen for each or some (if batched) entities we want to check authorization for.
Let me give you an example what we are trying to do. This example is made up but shows the problem we want to solve.
Let's assume you have a hard drive with lots of directories and files on it. We use SAML to authenticate the person that tries to access that drive. Members of the group "admin" are allowed to read and write and members of group "user" are only given read permission.
Because of this we want to send the group memberships of a user when he or she authenticates. Because otherwise it would mean that the application has to check for every file if the user is in the necessary group. If it was clear from the beginning (after authentication took place) that someone is a member of a specific group the application can cache that in memory.
As with most things in SAML, this depends on the identity provider as well as the application.
Many identity providers have access control to allow or deny specific users or groups to access an application. Sign-on is then denied by the IdP after authentication based on the ID of the application (from the SAML request) and access control configured in the IdP. If you just want to control who has access to the application, then this is all you need, and most, if not all, identity providers should have you covered.
Sometimes you also want different users or groups to have different permissions inside the application, or you want memberships in certain groups on the IdP to be mapped to membership in groups inside the app's own user and group database (or other application-specific group-like concepts). There is no standard for this, but some identity providers allow the definition of attribute mapping rules based on group membership. For example, in ADFS, you can create a claim rule that sets a specific SAML attribute to a specific value if and only if the user is a member of a specific group in AD. You would then set up such a rule and set a SAML attribute that your application understands to a value it understands.
Alternatively, if an application supports configuration of multiple IdPs, then you can configure one app / IdP mapping per group, and for each group add an attribute mapping rule with a hard-coded group name in an attribute that your application understands.