Adding minimal SAML support for ISV - saml

We are an ISV building an enterprise SaaS product.
We would like to enable our customers define their IDP SAML configuration.
We are a startup and would like to support SAML as lean as possible.
1. What is the minimal configuration needed to support the major IDPs?
After reading Okta's article I understand that:
Certificate
IDP Sign-in URL
Are a must.
Say that we use a single ACS endpoint (We will implement our own logic by looking at the SAML assertion)
Is there anything else mandatory?
What about bindings? Do all major IDPs support HTTP redirect?
2. What is needed to be defined on the IDP side?
We tend to use the HTTP redirect binding, should it work with most IDPs? Is a metadata endpoint important?

As for "what is required": in many cases, you will have to generate so called "metadata.xml" file to provide the information to the vendor, so they might install a testing environment for you.
I've implemented about 5 SAML integrations with different vendors so far. The truth is that not all of them require full-fledged SAML 2.0 standard, but some of them do. I think my article should be also helpful to you https://dev.to/optiklab/working-example-of-saml-single-sign-on-integration-using-c-39mb and my open sourced SAML integration project (https://github.com/optiklab/SAML-integration-utilities) contains both Metadata File generator and C# examples for forming both SAML response and assertions. They proved to be working with many vendors, like Ping Identity, etc.
Let me know if you have more specific questions.

Related

How is Microsoft.IdentityModel.Tokens.Saml used?

I am looking to implement single sign on functionality into an existing Asp.Net MVC 5 web application using SAML 2.0. My team and I have looked into a few different NuGet packages to help us get started with this implementation. We already have the IdP and metadata file, but now just need to implement the SSO functionality into our project.
We came across the Microsoft.IdentityModel.Tokens.Saml package and were interested in using this to set up our SAML configuration but have not been able to find any documentation on how this is actually implemented. I was wondering what is this package typically used for and can it be used to handle SAML requests and responses for the implementation of SSO functionality into a web application or should we look into using a different package? Thanks!
This package is for handling SAML assertion security tokens. It's not for handling the SAML SSO protocol. The WS-Trust protocol supports a number of different security token types including SAML assertions. The Microsoft.IdentityModel.Tokens.Saml package provides this support. SAML SSO also uses SAML assertions but is a completely different protocol from WS-Trust.
You'll find there are a number of open source implementations of the SAML v2.0 specification as well as our commercial offering.

Identity Provider Implementation with SAML V2 and Java

After successfully implementing SAML-V2 Service Provider (SP); for supporting some specific use-case, I have to implement my own SAML-2 IdP. After going through OASIS Documentation and many others about the SAML protocol, I have started implementing it.
My Use-case is just a single profile (Web Browser SSO Profile) with SP-Initiated SSO: Redirect Bindings only.
I am looking for some lean third-party library or java based implementation which I can refer/use to speed up the implementation and customize on top of that.
Would love for any recommendation or suggestion in this direction.
To be specific I'm looking for any/all of below :
Easy to use open-source library for implementing SAML-V2 Identity Provider in Java.
Detailed documentation/specification for above profile.
Any advice from experts who have past experience in implementation such kind of IdP.
There is lots of material available for SP. However, very few and complex for IdP.
Some of the java-based implementation which I am already looking are : KeyCloak and Lite-IdP.
"Very few and complex" is true because building a real-world identity provider is a serious project. OpenSAML as the library is your best option in Java - many enterprise-grade implementations that we know about are built with it. A good, stripped-down example of how to use OpenSAML in IdP context is https://github.com/OpenConext/Mujina .
Lite IdP is written in Go. If you're open to non-Java options, SimpleSAMLphp is excellent, it's certainly better documented than many others.
I'd post it as comment, but I don't have enough reputation.
But here you have almost the same question, regarding Spring SAML:
using-spring-saml-as-an-idp-rather-than-an-sp
Take a look at Vladimir's answer, I think it's what you're looking for. Here is the link suggested by him.
Cheers

SAML : How to implement SSO (Single sign on ) for an web application

I have searched a lot for a good documentation on how to implement SSO as I am a beginner in this field. But got confused with documentations, available online. Is there any documentation that can help me directing :
How to Create/configure IDP , SP, how to implement SSO?
My web application uses, Java 8, angular JS , JSP, Spring ( with annotations), Hibernet, Maven, JBOSS.
Appreciate your time in advance.
Your question is kind of broad which is hard to give a definitive answer. Perhaps knowing better about what to research may help. Please let me try:
Your web application will be an SP. Thus, you don't need to research for how to implement an IdP.
You will need at least 1 IdP to test SSO for your application. Therefore, find out what IdP you want to use and research for how to set it up as well as how to configure a service provider trust against it.
What is the protocol you want to use for SSO? Is it SAML 2.0, WSFed, OAuth2, OpenId Connect or something else? Pick one.
Research a good library that you can use to implement the SP role for your application.
You've mentioned Java and Spring so typically you are looking at Spring Security and SAML.
If that's the case. then you need to implement a client side SAML stack.
Refer: SAML : SAML connectivity / toolkit.

Any libraries or frameworks for building a SSO proxy?

I've been tasked with determining the feasibility of building an application that would act as a proxy between platforms that offer single sign-on capabilities.
Our "platform" offers SAML Service Provider capabilities, and we have some customers that provide their own SAML IDP and Identity Store. We have other customers that use different single sign-on technologies, such as oAuth, OpenID, or third-party Web Services. Some customers use a combination of these technologies.
The goal of the proxy would be to standardize and reduce the complexity of each customer's SSO integration on the platform. Currently, we're required to customize each implementation between the platform and the customer's Website(s).
I'm having difficulty finding frameworks, libraries, or functions for proxying between SSO protocols such as SAML and oAuth, or SAML and a third-party Web Service.
I'm wondering if anyone has experience building something similar and can recommend solutions that worked for them.
I've put together a diagram that illustrates what we're trying to accomplish below.
Check this Bitly project on GitHub:
https://github.com/bitly/oauth2_proxy
It supports multiple identity providers
hth

What is the correct way to create Service Provider SSO metadata

I would like to test my newly written Service Provider (SP), SAML2.0 consuming end-points.
To do so I would like to create a test Identity Provider (IdP), either with TestShib or SSOCircle. Both these services require me to provide the appropriate SP metadata that describes my new SP endpoints.
I know that Shibboleth, once installed, will do this for me using the path:
[my-domain]/Shibboleth.sso/Metadata
However my confidence in the generated results are shaken by the warning at the top of the file, which states:
This is example metadata only. Do NOT supply it as is without
review, and do NOT provide it in real time to your partners.
Also, of course, you need to have Shibboleth installed which may not be possible.
So what is the best way to create / generate the SP metadata?
With Shibboleth SP plugins, the best way to provide metadata is to use the generated version from [my-domain]/Shibboleth.sso/Metadata and make manual changes if required.
Make sure to verify that the URLs it includes are correct, that it includes bindings you would like to support, that certificates are correct, eventually make modifications required by your IDP (like adding contact information). For testing even these parts can typically be skipped.
More details on metadata structure and things which can be changed are in Shibboleth's wiki.