How can I add Auth0 as IdP into ADFS? - saml

I've asked this question on Auth0 community but wanted to ask in here also... https://community.auth0.com/t/how-can-i-add-auth0-as-idp-into-adfs/16868
I want to use Auth0 as an IdP for my application. So here is the flow:
Web Application --> ADFS --> Auth0 --> Social
I’ve red this link and did whatever it says; in order to add Auth0 as a Claims Provider into ADFS I’ve used the SAML Metadata URL. As a result I can now select Auth0 as IdP (or CP in ADFS terms) on ADFS login page and it redirects user to log in on Auth0. And client can authenticate on Auth0 with no doubt. But, when ADFS receives the HTTP POST SAML response from Auth0 it throws an error “MSIS0050: SAML Response does not match SAML request.”. And thus, client cannot login to web app.
Here are the details of the exception:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS0050: SAML Response does not match SAML request. Request ID: id-2252c816-02de-423c-b518-703cbfd26055, response InResponseTo:
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
So, What can be the problem here? Can you please help me on this?

My fault. For ADFS integration, on Auth0, selection of SAML2 integration medium was a bad idea. I just selected ADFS and it's working now. Thank you.

Related

SAML 2.0 integration with a service provider

we currently run our IdP on Firebase auth. One of our partner (service provider) only supports SAML 2.0. They want us to send in a request with a payload to a URL with User's email address.
I do not have much experience SAML 2.0, what you guys think the best approach for this would be?
Sorry for a vague question.
Thanks,
Sam
Firstly, You will have to configure your SP and IDP by exchanging the metadata(via a URL or XML file or manually). From the question, it seems that you are looking for IDP initiated SSO. After a user successfully authenticates with the IDP, the IDP sends a response(XML payload) which contains the user identifier typically a username or email. The SP will read the payload and after verifying the data it will create the user session in your SP.
The SAML response looks something like this.

Pass SAML response from a Web App to the REST API for authentication?

We have a Web App using REST API. The REST API is based on Loopback and uses it's built-in token-based authentication. For the Web App we use forms based authentication over HTTPS, so the user has to enter his username and password which we then use to get access token from the REST API via POST /users/login endpoint.
One of our customers asked us to support single sign-on (SSO) authentication through SAML 2.0 and AD FS.
We configured our Web App as a service provider (Relying Party in AD FS) and managed to support SSO for it. The changeling part is the authentication between Web App and the REST API. The idea right now is to configure both Web App and the REST API as the same Relying Party and add new POST /users/saml-login endpoint to the REST API, so the Web App can send a SAML response to that end point and get an access token based on the claims specified in the SAML response. Everything else should work as it used to work before. Here is the flow I imagine:
Web App generates SAML request and redirects a user to the IdP login page
After a successful login the user is redirected back to the Web App with the SAML Response
Web App acts as a proxy and redirects the SAML Response to the REST API endpoint (POST /users/saml-login) where it is validated
If the SAML response is valid the API returns an access token based on the claims
Web App uses access token for further communication with the REST API same as before
Here is the question: Is it OK to implement SAML-based SSO this way? Do you see any issues or security considerations with this approach? Are there any alternatives?
I have read a lot of articles on the web and questions here on StackOverflow about how to use SAML & REST API together:
Propagate SAML Assertion Response/Security Context to downstream Services/Apps
REST API authentication with SAML
SAML and back-end REST service authentication
Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
None of them really helped me to confirm or reject the idea described above.
That sounds like a reasonable approach. I can't think of any security issues.
You're simply re-posting the SAML response internally within your application for processing. As long as you then perform the various security checks on the SAML response and assertion within your REST API, there shouldn't be any issues.

For SaaS provider, is SP-to-Okta leg conforming to SAML standard?

We are a SaaS Service Provider with a SAML implementation. However, during the implementation with Okta, I got the impression that,
The Okta-to-SP leg is totally SAML standard Assertion Response. Period. No questions.
However the SP-to-Okta leg is not SAML standard AuthnRequest. It’s a proprietary HTTP Get request to the okta embed link like:
https://dev-xxxxx.oktapreview.com/home/xxxdevxxx_xxx/xxxx/xxx
Is this observation accurate? Is there anyway that I can make the SP-to-Okta leg SAML’s AuthnRequest? I assume no.
Okta supports SP-initiated SSO.
You send a SAML authn request to its .../sso/saml endpoint.
The SSO service URL is available in the SAML metadata which you can downloaded from the Okta console.
As of now the UI to get that piece of information for okta administrators is a little bit tricky:
Admin > Applications > XXX > Sign On > Settings > View Setup Instructions.
There you can find the IdP URL, issuer, and cert. The meta data profile is available for downloading as well.

SAML 2.0 & Okta C#

I'm working with a web app which calling IDP (Okta) and should receive a response to another page as SAML assertion.
How do I "catch" the post SAML Assertion and process it in a landing page/web app?
Thanks
Shnetz
You should take a look at libraries like:
https://www.componentsource.com/product/componentspace-saml2-component
or
https://github.com/KentorIT/authservices
which will help you SAML enable your app. They will take care of handling the SAML logic as a service provider for your app.

SAML Configuration for BambooHR

I'm trying to setup SAML to SSO into BambooHR, I'm using Auth0 as my IDP. BambooHR requests a SSO Login URL and x.509 Cert from my IDP (which I can easily provide), but I can't find where BambooHR provides the Audience URI and/or callback URI to enter into Auth0.
Does anyone know where I can find this information?
Thanks!
For future reference you can use the following for BambooHR's Callback URL and Audience:
https://{YOUR DOMAIN}.bamboohr.com/saml/consume.php