Benefits of SAML vs straight HTTP Post - single-sign-on

I am researching different Single Sign On options. It seems to me that SAML while is a great solution if we look at 3rd party vendors it is somewhat out of our price range. We are also looking at implementing our own solution... but, some of the services we want to use - just to enable SAML logins they want to charge. If I know all of my user's credentials what is the security risk/downside of just doing an HTTP POST with the credentials to these different services? Some of the SSO providers do this when SAML is not enabled as well.

Using SAML would remove the need for users and Service Providers to deal with password issues like reset, expiry, recovery, rotation etc. completely, aside from managing the synchronization process that now needs to happen between IDP and SPs.
In addition to that there's the the amount of brittle, costly and awkward reverse engineering of SP login webpages that needs to be done and maintained(!) by any IDP that operates a password vaulting system (which is what you describe).
Also, introducing an SSO system allows you to concentrate user authentication efforts and improvements in one place only, making it simpler to introduce strong or second factor authentication for all services at once, without requiring support for that by each SP.
Last but not least: password vaulting systems still involve passwords that are distributed over different systems/SPs and that cannot be (completely) hidden from the user. That makes it hard or impossible to ensure that access to all systems is turned off at once e.g. when a user leaves the organization.

Related

What is the point of SSO with 2FA?

I do not get the idea of using 2FA with SSO.
Is not the whole idea of SSO, that you do not have to log a second time for each application and with 2FA that is exactly the case.
Or is it like no SSO for the sake of security?
Nope
2fa says 'when you have to authentication you have to have more than just a password'
SSO means - once you have authenticated on to a central ID system, maybe using 2fa, maybe not , you do not have to authenticate to the individual apps
2 quite different things
It is possible for an SSO system to be configured to demand reauthentication or just the second factor in some circumstances. For example if the SSO system sees you are coming from an IP address its never seen before, of if you are trying to access a particularly sensitive app.
An SSO system is always a balance between end-user convenience and IT department paranoia

Why and when should I use an Identity Provider like Auth0 or Azure AD B2C instead of just storing the user credentials within my database?

I'm developing an ASP.NET Core API, and I'm trying to do the authentication and authorization part as best as I can. I'm studying OAuth 2 and OpenIDConnect (very preliminary studies at this point). But from an API developer standpoint, what can I gain from inserting an Identity Provider like Auth0 or Azure AD B2C in the process instead of just storing the user credentials using some form of cryptography?
Also, Oauth 2 seems to allow many flows, is the job of the API to be concerned with the flow of the application consuming that API? Seems a bit unreasonable. What I want is just to have a safe way to store the user credentials, and allowing the users of my API to perform authentication and authorization before consuming and manipulating resources within the other services within the API.
I understand that authentication and authorization is a sensitive topic within an application, as they deal with security concerns, and I'm planning on building an application that will deal with sensitive financial operations. That's the reason I wend after Auth0 and Azure AD B2C. But to be honest I'm having a little trouble trying to understand what Identity Providers like these will bring to the table, I know they'll bring something of importance, I just need some help to see what and why should I use them.
what can I gain from inserting an Identity Provider like Auth0 or Azure AD B2C in the process instead of just storing the user credentials using some form of cryptography?
Well, you get the freedom of not storing credentials in your database.
Most likely these service providers are taking better care of their security than you would.
Another thing that you gain is Single Sign On.
Many apps can use the same identity provider for the users, so the users only need to sign in once to use all of the apps.
Of course it is not zero cost, there is complexity involved in OAuth/OIDC.
But neither is building your own user store.
Also, Oauth 2 seems to allow many flows, is the job of the API to be concerned with the flow of the application consuming that API? Seems a bit unreasonable.
No, the API usually does not care what flow the caller uses.
What it cares about is that it receives a valid access token that contains the necessary permissions to access a particular resource.
It is a concern of the client app to choose the flow to use.
But to be honest I'm having a little trouble trying to understand what Identity Providers like these will bring to the table, I know they'll bring something of importance, I just need some help to see what and why should I use them.
Well, here are the things that come to my mind:
Better security (most likely, it isn't only about the password hashing algorithm etc.)
Better SLA (building a 99.95% SLA service like Auth0 is not cheap)
Proven track record
Single Sign-On
Single identity for users to all your apps, can easily disable their account as well to prevent access to all apps at once
Can easily add support for federated authentication with other identity providers
No need to store password hashes etc. in your app
Ready-made administration tools (which you need to build otherwise)
To add to #juunas:
AI to proactively monitor user access and disable dodgy logins e.g. logging in from USA and Russia a minute apart
Reporting and stats.
Password protection e.g. not allowing password that has appeared in a breach
Portal and API for user CRUD
MFA
Self-service password reset
Passwordless support
Fido 2 support

MIcroservice: Best practise for Authentication

I am looking into using microservice for my application. However the application involves authentication. E.g. there is a service for user to upload their images if they are authenticated. There is also a service for them to write reviews if they are authenticated.
How should i design the microservice to ensure that the user just need to authenticate once to access different services. Should i have a API gateway layer that does the authentication and make this API gateway talk to the different services?
You can do authentication at the gateway layer, if authentication is all you need. If you are interested in authorization, you may have to pass the tokens forward for application to consider it. Also you can do that, if you have trust on other services behind the gateways. That is service 1 is free to call service 2 without authentication.
Also you loose bit of information about the principal, you can however write it back on the request in the gateway while forwarding.
Also another point to consider is JWT, they are lightweight and more importantly could be validated without calling auth server explicitly and it saves you some time specially in microservices. So even if you have to do auth at every service layer you are doing it at minimal cost, some nanoseconds. You can explore that as well.
However final call is based on how strong your security needs are compared to rest. based on that you can take a call. Auth stripping at api gateway saves you code duplication but is less secure as other services can do as they wish.
Same goes for token, you can authenticate without explicit call to auth server but then tokens are valid for some min time and bearer is free to do as they wish once they got the tokens, you cannon invalidate it.
While Anunay's answer is one the most famous solutions, there is another solution I would like to point out. You could use some distributed session management systems to persist sessions on RAM or DISK. As an example, we have authentication module that creates a token and persists it in Redis. While Redis itself can be distributed and it can persist less used data on disk, then it will be a good choice for all microservices to check client tokens with redis.
With this method, there is nothing to do with API gateway. The gateway just passes tokens to microservices. So even in case you are thinking about different authenitcation methods on different services, it will be a good solution. (Although I cant think of a reason for that need right now but I have heard of it)
Inside a session, you can store user Roles and Permissions. That's how you can strict users access to some API's. And for your private API's, you could generate a token with role ADMIN. Then each microservice can call other one with that token so your API's will be safe.
Also you could rapidly invalidate any sessions and store anything you want in those sessions. In our system, spring framework generates a X-AUTH-TOKEN that can be set in headers. The token is pointing to a session key in redis. This works with Cookies too. (and if I'm not wrong, you could even use this method with oAuth and JWT)
In a clean architecture you can create a security module that uses this validation method over API's and add it to every microservice that you want to protect.
There are other options when it comes to session persisting too. Database, LDAP, Redis, Hazelcast ... the choice depends on your need.

Getting a SAML assertion after creating a session via API

Related to Accessing Third Party Apps After Creating A Session Via API Token and to AWS API credentials with OneLogin SAML and MFA
Since AWS assumeRoleWithSAML temporary security credentials are only valid for one hour and we have a few different roles to assume it would be very annoying for the user to enter the username/password everytime he needs to switch the role or get new credentials because of the short validity. It's totally odd to the web base OneLogin usage, where he is logged in once for the whole day or even week (depending on the policy).
I know how to get a session via API. At least this would reduce the times the user needs to enters username/password to two times. One time in the web, one time on the CLI.
But is there any way to use this session token to generate a SAML assertion via API with this session token instead of submitting username/password to the API endpoint?
I don't want so store the users credentials locally for this. And with MFA enabled this wouldn't work in a seamless way.
While being able to generate a SAML assertion for any user (without the need for MFA and a user/pass) seems like a good workaround, this is unfortunately fraught with security perils.
An API that bypasses the usual authentication effectively gives that endpoint the ability to assume any user in AWS. The "assume user" privilege is locked down pretty tightly in OneLogin, and is not the sort of thing that's given out lightly.
Basically, an API to do this seems dangerous from a security perspective. This might be something we'd consider as part of an oAuth flow (or OpenID Connect resource endpoint) but that'll take some more thinking on our part before we'd implement it.
The only compromise solution I can think of that could be implemented today would be to temporarily cache the users' credentials for a longer period of time in your code. This way they could be reused to generate new SAML assertions for a longer period of time, but would effectively be thrown away after (say) eight hours.
This wouldn't allow for MFA on an app policy, but we are building out the ability to request and verify MFA via API (coming soon) so you could implement MFA in your app (independent of any app policy) once this becomes available.
Obviously the ideal solution would be for AWS to let users' configure the session length, but so far they've been unwilling to allow this.

Does OpenAM or JOSSO2 Allow multiple, concurrent Identity stores?

I am evaluating SSO solutions and am currently looking at OpenAM and JOSSO2
I am -extremely- new to SSO, OpenAM, JOSSO2 and am just now trying to learn what I need to learn.
My application will need to be able to authenticate users against at least two different identity stores.
A local Database Store (Oracle, and to begin just a simple user/pass)
Active Directory (with x.509 two-factor authentication requirement)
There are two classes of users, which would authentication against one or the other (and NEVER both).
It is possible to setup OpenAM or JOSSO2 to be able to handle such a scenario? In a previous job (life) I worked on a system that used JOSSO_1_ to accomplish this, but I am hoping for a more refined approach (e.g. less custom code) to this current product.
Identity stores are different from 'source of authentication' in OpenAM.
OpenAM offers a wide range of different authentication modules and also allows to use JDBC or LDAP as an implementation of a user data store.
Furthermore authentication as well as data store API is extendable, allowing to plug in your specific implementation if needed.