I'm building a custom AAD B2C policy for a tenant which provides authentication for several apps, some of which use OIDC and some of which use SAML. The SAML apps all use the same sing-up/sign-in relying party policy, and all the OIDC apps use a different relying party policy. One thing in common for the sign-in user journey in all the apps is they need to call an API passing the app id as a parameter. This is straightforward for OIDC with the {OIDC:ClientId} claims resolver, however I'm not sure how to do this for SAML, as there isn't a similar claims resolver.
The solution I've found for now is to create individual relying party policies for each SAML app and hard-code the app id in the policy.
Is there a better solution to this problem?
Looking at the decoded payload of the request sent to the SAML policy, it looks like the following:
<?xml version="1.0"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/mySamlPolicy/samlp/sso/login"
ID="_xxxxxxxxxxxxx"
IssueInstant="2022-02-23T11:55:27Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com/path</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>
ClientID is part of the OIDC spec.
It is not part of SAML.
SAML returns a SAML token in XML and API's generally require a JWT in JSON.
The SAML spec. doesn't really cater for REST API.
Related
I created azure b2c custom policy using SAML flow and cannot find documentation what logout url should I use on SP side. What I see in saml policy metadata xml:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signin_saml/samlp/sso/logout"/>
it does not work with my SP (zendesk) and shows error after logout redirect: AADB2C99046: The logout request does not include a session index. I investigated saml logout request and it does not contain session index element. As I understand SAML standard documentation SessionIndex is optional.
Is there any way to fix log out functionality with SAML?
here is the answer from Microsoft support:
After analyzed your request with our technical advisors and additional
resources, we got a confirmation that for your particular setup which
is having your B2C actuate as SAML Token Provider, the SessionIndex
along with NameID is a must and needs to be provided by your Service
Provider.
I know it is hard to track what requirements usually needs the setups
in B2C by having the information spread everywhere but in Azure AD B2C
the following are the two scenarios supported:
Have Azure AD B2C acting as an IdP and achieving SSO with SAML-based Service Providers
Have Azure AD B2C acting as a service provider (SP) and interacting with SAML-based identity providers like SalesForce and ADFS.
The first scenario (1), that one you have, it requires your custom
policy to setup your SAML token issuer, along with the
SAMLSSOSessionProvider the TechnicalProfile named as SM-Saml-Issuer.
SAML session logout will not work then without your SessionIndex and
NameID attributes coming from your SP.
This is the only way to achieve a successful SAML logout call from
your Service Provider.
Let me know if you have any questions, I can then review this and
forward it to our experts if necessary.
Best regards,
_____________________________________________________ Victor J. Hernandez | Support Engineer | Azure Support
Most SPs using SAML will create their own session after you are authenticated. This session is only used by the SP that set it up. To do this, logout must do the following: delete all SP sessions.
The only truly reliable way to completely log out of SAML SSO is to delete all sessions, including identity provider sessions and all service provider sessions. Normally, this can be done simply by closing the browser.
We're using SAML 2.0 for SSO, and want to improve the UX by allowing a user to enter their email only once (to identify they need SSO). Is it possible to pre-fill the SAML SSO email field when authenticating with Google's SAML IDP?
I know that the AuthnRequest has an optional Subject field that can pass the principal information to the IdP, but so far I haven't managed to have Google's SSO form pre-populate. Either it's not supported from the IdP, or I'm sending the wrong configuration.
The existing configuration I've been trying to use looks like this:
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="_cd...." Version="2.0" IssueInstant="2019-01-01T00:00:00Z" Destination="https://accounts.google.com/o/saml2/idp?idpid=...">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">(issuer_name)</saml:Issuer>
<Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">me#example.com</NameID>
</Subject>
</AuthnRequest>
I would expect the Google SSO form to autopopulate me#example.com, but nothing happens.
The Subject element is optional in an authentication request and even when included, it's ignored by most IdPs. Since authentication request can be sent to the identity provider by an anonymous party, performing a UX action like you're thinking about would certainly lead to an easy phishing vector.
We have a Web App using REST API. The REST API is based on Loopback and uses it's built-in token-based authentication. For the Web App we use forms based authentication over HTTPS, so the user has to enter his username and password which we then use to get access token from the REST API via POST /users/login endpoint.
One of our customers asked us to support single sign-on (SSO) authentication through SAML 2.0 and AD FS.
We configured our Web App as a service provider (Relying Party in AD FS) and managed to support SSO for it. The changeling part is the authentication between Web App and the REST API. The idea right now is to configure both Web App and the REST API as the same Relying Party and add new POST /users/saml-login endpoint to the REST API, so the Web App can send a SAML response to that end point and get an access token based on the claims specified in the SAML response. Everything else should work as it used to work before. Here is the flow I imagine:
Web App generates SAML request and redirects a user to the IdP login page
After a successful login the user is redirected back to the Web App with the SAML Response
Web App acts as a proxy and redirects the SAML Response to the REST API endpoint (POST /users/saml-login) where it is validated
If the SAML response is valid the API returns an access token based on the claims
Web App uses access token for further communication with the REST API same as before
Here is the question: Is it OK to implement SAML-based SSO this way? Do you see any issues or security considerations with this approach? Are there any alternatives?
I have read a lot of articles on the web and questions here on StackOverflow about how to use SAML & REST API together:
Propagate SAML Assertion Response/Security Context to downstream Services/Apps
REST API authentication with SAML
SAML and back-end REST service authentication
Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
None of them really helped me to confirm or reject the idea described above.
That sounds like a reasonable approach. I can't think of any security issues.
You're simply re-posting the SAML response internally within your application for processing. As long as you then perform the various security checks on the SAML response and assertion within your REST API, there shouldn't be any issues.
Our customer is using Okta and is asking us to SAML-enable our app so they can access it using idnetities in Okta.
We plan to use OpenSAML to do it. So far so good.
But usually, our app has access to identities (list of users, groups/members) coming from an on-prem LDAP or AD, for example. We normally use those identities to configure authorizations in our app (give permissions to certain users to access certain ressources). Using SAML only, I don't see how to access the whole list of users/groups. And from what I understand, it's not the goal of SAML to provide it.
How is this situation typically solved? Should we try to sync the identities between Okta and our app? Is it what is called provisioning? There is Okta API, SCIM, JIT, ... Or maybe we should take a totally different approach?
Thank you!
The typical way to handle authorization in SAML is to use a SAML assertion to determine the authorization that a user should have. Which assertion is used and how it is will depend on your authorization model.
Note that using assertions will push the responsibility for determining authorization onto the administrator of the SAML Identity Provider, it will be up to them to decide who has access to what.
The ideal situation for supporting "enterprise federation" is to support SSO and Provisioning. SAML or OIDC for SSO and SCIM for provisioning.
If your software doesn't depend on an up-to-date list of users, supporting just SAML with "JIT" might be sufficient. SAML with "JIT" or "Just In Time" provisioning just means that your SAML Service Provider implementation would add users that it hasn't seen before.
What are the main difference between JWT (Json Web Token) and SAML?
Can you suggest me any examples of these with spring security?
Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required).
JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.
Both are are used for authentication and authorization, commonly used for Single Sign-On (SSO) solutions.
Security Assertion Markup Language (SAML,pronounced SAM-el) is an XML-based standard for exchanging authentication and authorization data between parties, i.e. IdP (Identity Provider) and a SP (Service Provider).
An IdP (Identity Provider) : authenticates users and provides to Service Providers an Authentication Assertion if successful. Identity providers offer User Authentication As A Service.
A SP (Service Provider): relies on the Identity Provider to authenticate users.
Term in SAML
Term in OAuth
Description
Client
Client
Example: A web browser
Identity Provider(IdP)
Authorization Server
Server that owns the user identities and credentials
Service Provider(SP)
Resource Server
The protected application
JSON Web Token (JWT, pronounced jot) is a ID Token based on JSON to pass user information as Header, Payload and Signature structure. https://jwt.io/
OpenID Connect(OIDC) is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token. This token is a compact and self-contained (i.e. piece of data that is able to function independently) authentication mechanism that uses a JSON object to encode claims that are signed and encrypted. JWT can be used to authenticate clients, pass information between parties, or to authenticate APIs.
Use case:
OIDC is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. for example Stackoverflow login with Google account.
SAML commonly used to help enterprise users sign in to multiple applications using a single login.
OIDC is a more modern, lightweight, and easier-to-use protocol compared to SAML, while SAML provides a more complete and complex solution for SSO and identity management in enterprise scenarios.
In addition, SAML is a protocol and a token format while JWT is only a token format.