SAML WebSSO profile implementation - single-sign-on

I am going to implement ServiceProvider part using SAML 2.0 WebSSO profile. According to the SAML specification, the two supported flows are SP initiated and IDP initiated. I want to implement only IDP initiated flow because of time constraints. Will it work? or is it required to implement both the flows?
I dont want to generate any metadata for my SP. Can I still register my SP at IDP without providing any metadata by giving only default Assertion Consumer Service URL?

Short answer is yes it will work but... and yes if it is supported.
About implementing the IDP init SSO. It will work with only IDP init SSO if the IDP supports it. But your implementation will not be conformant with the SAML standard.
SAML does not require one to use metadata, this is just a good way to transport configuration data. If this will work depends if your IDP can be configured without using metadata. I have seen many that can do this.

Agree with #Stefan - no, you don't have to implement both flows.
SAML has many options - generally there is not enough information in the Assertion Consumer Service to fully configure e.g. certificates, public keys, supported endpoints etc.
But if the IDP allows this, you can do it manually - you just have to provide all the bits and pieces. And you'll have to do this again when the certificate expires etc. Metadata makes this all easier.
Java or .NET? If .NET, there are classes available to generate the metadata. Not sure for Java but would be surprised if there aren't.

Related

Does the client need SP metadata when implementing SSO using OneLogin?

I'm doing a technical assessment for a job interview. It's called on me to walk through implementing a client using OneLogin (IDP) into our software (SP) with SSO.
The activity is asking me to include 3 things:
Service Provider
Identity Provider
Generate and distribute the sp metadata to the client
I'm using https://www.samltool.com/sp_metadata.php to generate the metadata but I'm wondering what the purpose of this doing this when this SP is already a verified app on OneLogin?
OneLogin's knowledge base here doesn't indicate the need for the SP metadata to implement. It doesn't even call for any SP entity's or endpoints. It seems like I would need the idp metadata as the endpoints use a unique value but not the opposite. So am I right in assuming that generating and sending the client the SP metadata is useless? Or is there a reason for it?
If you're using a Onelogin catalog app, you often don't need any instance specific metadata from the SP. The catalog apps are supposed to shortcut and simplify configuring a standards based SAML supporting SP. Some of the Onelogin catalog apps sometimes need some metadata, such as a RelayState parameter as per the SP requirements. If a catalog app doesn't exist and you're building a custom SAML app in Onelogin, you'll need the SP metadata in full.

Is SP initiated requests without AuthnRequest an industry standard?

I am working on SAML2.0. One of our clients(IDP) requested us (SP) to have SP initiated requests without sending AuthnRequest.
Instead of sending AuthenRequest they have asked us(SP) to send a parameter on the URL that can tell them that the request has come from the designated SP. Is it an industry standard to implement SP initiated requests without having AuthnRequest parameter?
I would actually call this IDP initiated, as from the viewpoint of SAML, the IDP sends the first message. IDP initiated is part of the standard, so it does not break SAML.
But if you are going to have the SP tell the IDP to start authentication I would consider it bad practise not to have the SP start this by using a SAML AuthnRequest.
This would be a more interoperable approach making it easier to use standard SAML product without the need for customizations.
No it's not. However, from our experience, some IdPs do not support SP-initiated SSO. Instead, they require a redirect to the IdP including a parameter that identifies the SP. This then will trigger IdP-initiated SSO to the SP. This is not covered by the SAML v2.0 specification and therefore the format of the URL including the parameter name etc is not standardized.
I suggest double checking with the IdP to see whether they do support SP-initiated SSO as per the SAML specification. Perhaps they simply haven't enabled this support. If they don't then you're only option is to use this non-standardized approach.

SAML: Is it valid to route third party IdP messages through a single IdP

My understanding of the SAML (v2) protocol is that Service Providers should be interacting directly with Identity Providers to exchange authorisation request and assertion messages.
I can think of a number of reasons why this would be a bad idea (undermines message signing, gives intermediate IdP access to info from other IdP), but are there any scenarios supported by SAML that would allows the following arrangement?
SP <------> MainIdP <------> ThirdPartyIdP
So (hypothetically) assuming that MainIdP has some clever way of determining that the SP user needs to authenticate against ThirdPartyIdP, it would delegate to the ThirdPartyIdP and then receive the response, process it and reply to the SP. Does SAML allow this? (I am asking because a software supplier has suggested this approach and I believe it isn't supported, as well as being fundamentally insecure.)
The "correct" approach as I understand it is for the SP to be configured to know about both IdPs independently, and either present the user with a list to pick from, or delegate to a Discovery Service which can ask the user, or infer by some other means, which IdP to use. Is this right?
Thanks.
Most federation identity providers for SAML have the concept of a "Home Realm Discovery" screen.
The SP is "bound" to the MainIdP but the MainIdP presents a screen which shows all the other IDP's that it is federated with. From that list, you pick the ThirdPartyIdP.

Should I require IdP's to sign SAML2 SSO responses?

Our app has SAML2 SSO integration with 3 different (Shibboleth) IdP's. We are trying to add a 4th (also Shibboleth), but running into some issues, because our app expects all SSO responses to be verifiably signed. These other 3 are signing their responses, but the 4th is not, and is hesitant to add a custom config to enforce signing for our app.
Technically I could modify our app to accept unsigned SSO responses, but I am wondering whether or not I should. What are the pitfalls of allowing unsigned SSO responses? Is there any security vulnerability?
Is there any Shibboleth (or other SAML2 SSO) documentation that recommends signing responses as a best practice?
The only requirement for the IdP following the SAML 2.0 spec is to digitally sign the Assertion (see http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - section 4.1.3.5). That is enough to tell if the SSO operation from an IdP should be trusted by SP that has federated with it.
Signing the outer Response is optional. There are some security benefits to it, such as preventing Message Insertion or Modification (see sections 6.1.3/6.1.5 in http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf) - but in practice it's often omitted in lieu of relying on SSL/TLS.
The whole point of signing the response is to prove that they actually do come from the issuer. Otherwise a "man in the middle" could change the attributes e.g. to give themselves access to an application.
ADFS v2.0 using SAML by default signs all response tokens. There's no way to turn this off.

How should I be implementing the HTTP POST Protocol Binding for SAML WebSSO Profile?

I've implemented my Service Provider and Identify Provider following the SAML Profile for Web SSO using HTTP POST Protocol Binding. However, I am a bit confused as to how the Identity Provider will provide an <AuthnStatement> if the HTTP POST coming from the Service Provider is not tied to a session on the Identity Provider.
Could someone enlighten me how one would be able to do this?
The other approach I could use is the HTTP Redirect Binding, but that requires User-Agent intervention (i.e., the browser), often using the User-Agent simply as a pass-thru intermediary to faciliate the Request-Response message exchange. I'd rather use HTTP POST for this reason, because the message exchange occurs server-side, so the user sees nothing happening on their screen.
However, using HTTP Redirect makes more sense to me with respect to how I'd be able to tie a session to a request. Since the HTTP Redirect is facilitated via a User-Agent, the request to the IdP will have a session (if previously authenticated). What I don't get though is how to send an <AuthnRequest> on a HTTP Redirect. Answered by JST
So I'm a bit confused and would love to hear what other people are doing. Here are my questions again:
Using the HTTP POST Protocol Binding with the IsPassive option the <AuthnRequest>, how do I tie a request made by the Service Provider to a session on the Identity Provider? In other words, how does the Identity Provider know who is making the request if the POST is coming from the Service Provider which is technically an anonymous session?
Using the HTTP Redirect Protocol Binding, how do I send an <AuthnRequest> to the Identity Provider if I am using a HTTP Redirect? Answered by JST
UPDATE
Sorry for the confusion if I was unclear in my explanation above. I am implementing both the IdP and SP (via a plugin). The IdP is an existing application for which I want the SP (a third-party system) to use for authentication (i.e., Web SSO). I am developing a simple PoC at the moment. The SP is actually a third-party Spring application for which I am developing a plugin to perform the SAML operations.
I should have mentioned that I am trying to do this using the IsPassive option, that meaning the User-Agent doesn't come into play during the message exchange. It is simply the catalyst that gets the SAML-party started. Right? With that in mind, given that the user is anonymous at Step 1, what does the SP send to the IdP to allow the IdP figure out whether the user is already authenticated? Because of IsPassive, the HTTP POST isn't sent via the User-Agent
UPDATE
Question 1 Revised: How does the IdP resolve the Principal when the AuthnRequset is sent with the IsPassive option on?
Straight from the SAML 2.0 Profiles document, page 15, lines 417 to 419:
In step 4, the principal is identified
by the identity provide by some means
outside the scope of this profile.
What I'm really after is an explanation how to implement some means.
The thing to keep in mind is that there's no connection between a session on the IdP and a session on the SP. They don't know about each other, and communicate only through the SAML messages. The general steps for SP-initiated SAML SSO are:
Anonymous user visits resource (page) at SP.
SP identifies that user needs to be authenticated at IdP.
SP constructs AuthnRequest and sends to IdP.
IdP does some sort of authentication, constructs SAML Response and sends to SP.
SP validates Response and, if valid, does whatever is necessary to identify user at SP and get them to originally requested resource.
Yes, there does need to be some way to connect the SP's AuthnRequest to the IdP's Response. That's covered by the SAML spec: the SP's AuthnRequest includes an ID value, and the corresponding response from the IdP MUST include an InResponseTo attribute (on its SubjectConfirmationData element) with that ID value. The Authentication Request Protocol also allows the SP to pass a RelayState parameter to the IdP, which the IdP is then REQUIRED to pass along unchanged with the SAML Response. You (in the SP role) can use that RelayState value to capture state information allowing the user to be relayed to the originally requested resource.
That implies that when you implement an SP, you'll need some mechanism for recording ID and RelayState values, and your Response processing needs to validate InResponseTo and RelayState values it receives. How you choose to create and interpret RelayState values is up to you, but keep in mind that there is a length limit. (We use random GUID values corresponding to locally saved state data, which has the extra advantage of not giving any hint of meaning to the RelayState values.)
How does the IdP know who is making the request? The AuthnRequest must include an Issuer element that identifies the SP. It might also contain an AssertionConsumerServiceURL (the URL to which the Response is to be sent), or the IdP may have a local mapping of the Issuer to the proper URL.
How do you send an AuthnRequest using HTTP Redirect? The only difference between AuthnRequest sent using POST vs. Redirect, besides using GET rather than POST, is that the AuthnRequest XML has to get compressed (using the DEFLATE encoding).
Hope that answers most of your questions.
John,
I might suggest taking a step back and doing some more research before you decide to write your own SAML IDP/SP Implementation. You appear to be mixing Bindings with Profiles, Unsolicited vs Solicited Web SSO as well as the fact that SAML requires that the User Agent (aka Browser) is the bearer of almost all the messages between the IDP and SP. There is also a ton of info in the spec that will will have to implement to ensure your solution is actually secure.
I would suggest starting with our SAML Knowledge Base and then moving on to the OASIS SAML 2.0 Technical Overview for information on these flows.
Alternatively, if you decide to go best-of-breed you can check out our PingFederate product which can enable ALL the SAML IDP/SP use cases for you in < a day.
Hope this helps -
Ian
Unlike Ian, I am not associated with a company producing SAML-related products. However, I'd give somewhat similar advice: step back and identify why you are implementing SP or IdP. Are you really acting as both SP and IdP, or are you really just one or the other? If you're implementing/acting as IdP only, then it's fairly likely that a product like PingFederate or something similar offers all you need through configuration rather than requiring you to write custom code. If you're implementing SP, then such a product MAY be able to help you out, but it depends to a large extent on the characteristics of the system you're integrating it into. I am speaking as a developer who has done both IdP and SP implementations, and evaluated several tools before determining that because of our specific system, clients, and requirements, a custom implementation was our best option. It's been in place for over a year, with several clients using it (including some using varying commercial IdP tools).
If you can identify your use cases in terms of SAML profiles/bindings, then you'll be better equipped to make a buy-vs-build decision.