I have many clients that uses SSO, for that we use SAML 2. Many of my clients uses providers like Okta, PingIdentity and a bunch of them ADFS. Doing the integration with ADFS always at the beginning raises and error, and then they fix this with the following setup on their side:
Transform Incoming Claim
Incoming claim = UPN
Outgoing Claim = Name ID
Outgoing name ID format = Email
The error that we saw on the saml reponse is that they do not send a nameID, instead we see this:
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>
This is just happening with ADFS integrations, and I want to know what should I know about claim rules on ADFS in order to underestand this error and explain to my following clients that uses ADFS.
This is a Transform claim rule.
In the client metadata, you should see something like:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
These are the allowed NameID formats.
The outgoing NameID format needs to be one of these.
So e.g. email would be:
Incoming claim = Email
Outgoing Claim = NameID
Outgoing name ID format = Email
You would first have the normal email LDAP rule and then the Transform rule as above.
Related
We use mTLS authentication between clients and Kafka cluster and some ACLs configured on topics.
A client has in his subject name the email address, like:
Owner: EMAILADDRESS=user#my-domain.com, CN=my-service, OU=my-ou, O=my-org, L=my-loc, ST=my-state, C=my-country
But when the client calls kafka cluster we see the email address converted with his [OID code].
[2022-07-13 10:37:32,549] INFO Principal = User:1.2.840.113549.1.9.1=#3uR2XK21ru2nwVymHN9u4B7wQCs4wrhcPavdGktA,CN=my-service,OU=my-ou,O=my-org,L=my-loc,ST=my-state,C=my-country is Denied Operation = Write from host = 10.10.10.2 on resource = Topic:LITERAL:my-topic for request = Produce with resourceRefCount = 1 (kafka.authorizer.logger)
Could someone explain me why this happen and how to get the email address literal instead?
[OID code] https://oidref.com/1.2.840.113549.1.9.1
You cannot get the email address as a literal because Kafka parses the principal DN (Distinguished Name) as described in rfc2253, which doesn't support the EMAILADDRESS attribute. Unsupported attributes are encoded as in your example.
The next step depends on what you're trying to achieve.
If you are trying to use the email address in the ACL rule, then you can do one of:
if you can, issue certificates where the email address is in one of the supported attributes, such as within the CN.
use a script to encode it and get the correct value, which you can use as-is in the ACL rule.
If you don't mean to use the email address, and instead you mean to use other attributes which appear as literals (like the CN), you can either:
If you have access, the best option is to issue certificates without an email in the subject name and create ACL rules accordingly.
Another option might be to use Kafka ssl principal mapping rules to strip the email address and
leave the rest for use in ACL rules. This rule should do the work:
RULE:^1.2.840.113549.1.9.1=.,(CN=.)/$1
Furthermore, EMAILADDRESS oid is deprecated as mentioned here: https://oidref.com/1.2.840.113549.1.9.1 altNames should be used instead. You can see an example here: On certificates, what type should E-mail addresses be when in subjectAltName.
RFC 7519 (https://datatracker.ietf.org/doc/html/rfc7519)
mentions a principal but doesn't define it.
What is a JWT Principal?
From Wikipedia:
A principal in computer security is an entity that can be authenticated by a computer system or network.
Let's consider an example where we're using JWT for user's authentication, then e.g. in the Subject Claim's definition from the RFC 7519:
The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.
, principal is a specific user for whom a specific token was issued, and "sub" claim is some id of this user.
According to the SAML 2.0 specification, the NameQualifier attribute in the NameID element is "the security or administrative domain that qualifies the name. This attribute provides a means to federate names from disparate user stores without collision."
My question is: can the "disparate user stores" be within the same IDP? If so, given that the Format of the NameID will be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, does the IDP have the right to send anything in the name qualifier as long as it is unique to each of its datastore?
Does this mean that in order for the SP (provided it receives requests from different IDPs) to achieve uniqueness, it has to consider the remote entity ID, NameQualifier and NameID value?
I need to authenticate a SAML Respone , The Identity Provider has provided a metadata file. What are the steps to verify the SAML Response against contents of metadata ?.
One common answer, based around most federated SAML systems, is that you need to use the public key from the metadata to verify the signed response. If verifying a signature with a public key is an unfamiliar concept, spend a little time reading around PKI or "public key infrastructure." Then you should move to the XML Signature Specification.
I note that CAS uses SAML2 but does not build its trust infrastructure on signatures but on whitelists of service providers who are allowed to present tokens.
If you are using the PKI trust model, the signature should be in the <ds:Signature> element. The metadata should contain the public key in the <KeyDescriptor> element, ideally with the attribute use = signing. See Section "5 SAML and XML Signature Syntax and Processing" of the SAML Core specification for more details.
Other security checks include:
Is there a "InResponseTo" attribute? From Core: "...it MUST be present and its value MUST match the value of the corresponding request's ID
attribute."
Is there a "Destination" attribute? From Core: "If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the response MUST be discarded. "
In SAML metadata file there are several NameID format defined, for example:
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
Can anybody explain what are these used for? What are the differences?
Refer to Section 8.3 of this SAML core pdf of oasis SAML specification.
SP and IdP usually communicate each other about a subject.
That subject should be identified through a NAME-IDentifier , which should be in some format so that It is easy for the other party to identify it based on the Format.
All these
1.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default]
2.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
3.urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
4.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
are format for the Name Identifiers.
The name format for a transient ID in SAML 1 is urn:mace:shibboleth:1.0:nameIdentifier and in SAML 2 is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Transient is for [section 8.3.8 of SAML Core]
Indicates that the content of the element is an identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party.
Unspecified can be used and it purely depends on the entities implementation on their own wish.
About this I think you can reference to http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.
Here're my understandings about this,
with the Identity Federation Use Case to give a details for those concepts:
Persistent identifiers-
IdP provides the Persistent identifiers, they are used for linking to the local accounts in SPs, but they identify as the user profile for the specific service each alone. For example, the persistent identifiers are kind of like : johnForAir, jonhForCar, johnForHotel, they all just for one specified service, since it need to link to its local identity in the service.
Transient identifiers-
Transient identifiers are what IdP tell the SP that the users in the session have been granted to access the resource on SP, but the identities of users do not offer to SP actually. For example, The assertion just like “Anonymity(Idp doesn’t tell SP who he is) has the permission to access /resource on SP”. SP got it and let browser to access it, but still don’t know Anonymity' real name.
unspecified identifiers-
The explanation for it in the spec is "The interpretation of the content of the element is left to individual implementations". Which means IdP defines the real format for it, and it assumes that SP knows how to parse the format data respond from IdP. For example, IdP gives a format data "UserName=XXXXX Country=US", SP get the assertion, and can parse it and extract the UserName is "XXXXX".
It is just a hint for the Service Provider on what to expect from the NameID returned by the Identity Provider. It can be:
unspecified
emailAddress – e.g. john#company.com
X509SubjectName – e.g. CN=john,O=Company Ltd.,C=US
WindowsDomainQualifiedName – e.g. CompanyDomain\John
kerberos– e.g. john#realm
entity – this one in used to identify entities that provide SAML-based services and looks like a URI
persistent – this is an opaque service-specific identifier which must include a pseudo-random value and must not be traceable to the actual user, so this is a privacy feature.
transient – opaque identifier which should be treated as temporary.
1 and 2 are SAML 1.1 because those URIs were part of the OASIS SAML 1.1 standard. Section 8.3 of the linked PDF for the OASIS SAML 2.0 standard explains this:
Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:
urn:oasis:names:tc:SAML:1.0:
urn:oasis:names:tc:SAML:1.1:
urn:oasis:names:tc:SAML:2.0: