I created azure b2c custom policy using SAML flow and cannot find documentation what logout url should I use on SP side. What I see in saml policy metadata xml:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signin_saml/samlp/sso/logout"/>
it does not work with my SP (zendesk) and shows error after logout redirect: AADB2C99046: The logout request does not include a session index. I investigated saml logout request and it does not contain session index element. As I understand SAML standard documentation SessionIndex is optional.
Is there any way to fix log out functionality with SAML?
here is the answer from Microsoft support:
After analyzed your request with our technical advisors and additional
resources, we got a confirmation that for your particular setup which
is having your B2C actuate as SAML Token Provider, the SessionIndex
along with NameID is a must and needs to be provided by your Service
Provider.
I know it is hard to track what requirements usually needs the setups
in B2C by having the information spread everywhere but in Azure AD B2C
the following are the two scenarios supported:
Have Azure AD B2C acting as an IdP and achieving SSO with SAML-based Service Providers
Have Azure AD B2C acting as a service provider (SP) and interacting with SAML-based identity providers like SalesForce and ADFS.
The first scenario (1), that one you have, it requires your custom
policy to setup your SAML token issuer, along with the
SAMLSSOSessionProvider the TechnicalProfile named as SM-Saml-Issuer.
SAML session logout will not work then without your SessionIndex and
NameID attributes coming from your SP.
This is the only way to achieve a successful SAML logout call from
your Service Provider.
Let me know if you have any questions, I can then review this and
forward it to our experts if necessary.
Best regards,
_____________________________________________________ Victor J. Hernandez | Support Engineer | Azure Support
Most SPs using SAML will create their own session after you are authenticated. This session is only used by the SP that set it up. To do this, logout must do the following: delete all SP sessions.
The only truly reliable way to completely log out of SAML SSO is to delete all sessions, including identity provider sessions and all service provider sessions. Normally, this can be done simply by closing the browser.
Related
I am using Azure Active Directory Business to Consumer(adb2c).
We have designed custom policies, part of Identity Experience Framework(IEF) of Azure for 2 different applications.
One application is using login policy/flow which connects to a 3rd party Identity store.
Another application is using login policy/flow which connects to a different 3rd party Identity store.
Can we achieve SSO between them?
I am trying to use DefaultSSOSessionProvider session provider to skip technical profile which actually connect to 3rd party IDP and complete the login in case of SSO scenario. Getting exceptions while doing this.
Will this be possible or is there any other approach to achieve SSO?
In order to enable SSO for different applications in Azure AD B2C you need to configure SSO at the tenant level. To be able to skip external IdP selection you need to set a TP that leverages the ExternalLoginSSOSessionProvider in the UseTechnicalProfileForSessionManagement attribute of your external IdP TP. Take a look to the following custom policy permalink for a sample.
Finally, the external IdP SSO is controlled by the IdP itself and not by B2C so if some problem arises ensure the IdP SSO is working before validating B2C SSO.
I have two service providers set up with one IdP and users are required to be authenticated twice to access both services at the same time. From my point of view, this is not "SSO" and I am thinking that there might have been settings done incorrectly and I would like to see if the community here can provide me with directions and/or possible solutions.
Just a thought - the behaviour for the authentication on each service looks valid as I understand that IdP is required to send signed SAML assertions to the providers in order to access the services. However, because I only have one IdP, can I not be authenticated just once and be able to access all the services?
Any suggestion is appreciated. Thanks.
Typically in this scenario the user would authenticate once to the IdP when the first SP SSO's to it. There would be no authentication at the IdP when the second SP SSO's to it as there's already an authentication session at the IdP for the user.
However, there might be use cases where you want the user to be authenticated at the IdP even if they already have an authentication session. The SP can set the ForceAuthn flag in the SAML authn request sent to the IdP. This requests that the IdP authenticates the user regardless of whether or not they already have an authentication session.
ADFS also has a configuration option for relying parties (SPs) to always require authentication. Take a look at the AlwaysRequireAuthentication flag.
https://learn.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=windowsserver2022-ps
I am currently going through OneLogin's documentation.
There is one point that remains unclear to me.
I think I understand the main differences between SAML and OIDC.
However on the SAML description it seems that there is no authentication required from the end user.
Compared to the OIDC description, where a code is required from the end user.
This point only would make me lean toward SAML as it is "frictionless".
My questions are -knowing that I want to integrate with OneLogin-:
Is SAML "frictionless"? Can it be?
Is OIDC "frictionless"? Can it be?
If so, is it a specific OneLogin feature? (It seems that all the documentation that I found online mention authentication with the IdP)
Thank you for your help!
The article states:
"The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider."
So the user has to authenticate if no existing browser session.
The article is around SSO i.e. if you have already logged into an IDP with SAML and you access another application on that same IDP, you won't have to login again.
OIDC has the same approach.
OIDC can be "frictionless" if you use the Resource Owner Password flow where you pass the user name and password under the hood. The user does not have to authenticate.
But it's deprecated in OAuth 2.1 as it's not secure.
Let's say we have a service provider app called A hosted on tomcat, a user clicks a link to the SP A. SP A sees no token is provided so it redirects the user to the IdP for authentication (with a SAML Authn request provided by some means). The IdP then redirects the user to some common login page where credentials are provided, assuming that these credentials are correct the IdP creates a SAML response with a token and some assertions about the subject, and sends it back to SP A. SP A sees this and allows the user access into the application. Great!
I have a few questions though
How is the authorisation request/response sent, I understand there is a redirect binding and a POST binding where the SAMLResponse and request are encoded either as a query param, or sent as an XHTML form in case of a POST binding. But I'm not sure which is used where?
A service provider is the thing providing a service, so Office 365 or Sales force for example. Is each one a separate service provider? I ask as I watched a video where the guy said the service provider was the thing that hosted these services, so I'm not sure of the correct answer here?
How is the token stored on the client side? So for example I am now authenticated against SP A, the user then tries to use SP B from the same machine/browser window, how does SP B and the IdP know that the user has already authenticated and therefore doesn't need to re-authenticate. I.e. the SSO aspect of it.
Does SP B need to be hosted on the same tomcat instance for this to work?
I dedicated significant time to get SSO working for me. The most helpful document was this specification
The answers below are based on this experience:
Redirect or Post binding is used depending on a respective HTTP request header. The Post binding is recommended since it does not imply restrictions on data volume transferred.
A Service Provider in this context is anything that clients request. There may be many of them, participating in the same SSO scheme.
The service providers must be SSO-aware, which includes handling of the authentication response data. Usually you don't have to implement the protocol - there are ready-made frameworks that your SP can utilize.
Service Providers may reside on different servers.
From my own experience:
You choose your own SAMLBinding (redirect or post) depending on what your idp and sp supports. This binding type will be used both for the 1st step (SP -> Idp) and 2nd step (IdP -> SP). If you have some running environment, open your browser devtools and look at network tab to see what happens. It's just a way to send data from browser to SP/IdP.
Both Office 365 and Salesforce.com are cloud services, right? Let's take Office 365. it means that beyond "end-user" services (like Word, Excel) there is some technical SSO service which are common to the platform. It can be viewed as lower (or technical) service layers, I think that what you speaker meant.
The SAML token is stored by you SP application inside your browser, either hidden inside web page, cookie or web storage. It depends on how your SP is implemented.
SAML response can be validate by each SP based on shared private key, so it will decrypt the token using this key and be able to grant user without the help of IdP redirection.
Tomcat have some extension to support SAML. But SAML is designed to work without being on the same instance, as the opposite as basic JSESSIONID cookies.
So you have several instances, of course.
Our customer is using Okta and is asking us to SAML-enable our app so they can access it using idnetities in Okta.
We plan to use OpenSAML to do it. So far so good.
But usually, our app has access to identities (list of users, groups/members) coming from an on-prem LDAP or AD, for example. We normally use those identities to configure authorizations in our app (give permissions to certain users to access certain ressources). Using SAML only, I don't see how to access the whole list of users/groups. And from what I understand, it's not the goal of SAML to provide it.
How is this situation typically solved? Should we try to sync the identities between Okta and our app? Is it what is called provisioning? There is Okta API, SCIM, JIT, ... Or maybe we should take a totally different approach?
Thank you!
The typical way to handle authorization in SAML is to use a SAML assertion to determine the authorization that a user should have. Which assertion is used and how it is will depend on your authorization model.
Note that using assertions will push the responsibility for determining authorization onto the administrator of the SAML Identity Provider, it will be up to them to decide who has access to what.
The ideal situation for supporting "enterprise federation" is to support SSO and Provisioning. SAML or OIDC for SSO and SCIM for provisioning.
If your software doesn't depend on an up-to-date list of users, supporting just SAML with "JIT" might be sufficient. SAML with "JIT" or "Just In Time" provisioning just means that your SAML Service Provider implementation would add users that it hasn't seen before.