I'm working on a research about some new usage of SSO. Basically I'm trying to find way how to intercept SAML Request which is sent from Service Provider to Identity Provider with some kind of IdP proxy or 3rd party service, which will hold the SAML Request and will provide some additional functionality to users. The desired process could look like this:
User invokes SAML request from SP - click Login button for example
User is redirected to the 3rd party service, where is, for example, small survey(this is theoretical example)
After submitting the survey, user is redirected to the IdP and should continue with login
I have quite good experience with SimpleSAMLphp and configuring federation. But I my attempts to find some useful information about this kind of interception have failed. I add a super basic picture of the solution.(please don't laugh:) )
Does SAML support any kind of this processing? I'm open for discussion. I was also thinking to intercept the SAML after user signs in on IdP(to have redirection from IdP to 3rd part service proxy and then to SP)
Thank you for advices and your thoughts; hopefully, it's not totally stupid question
EDIT: During my research I came across technology/approach which is called IDP Proxy. Do you think that is feasible for my purpose? Basically, a SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs. More about it for example here
I don't think this is possible, it's simply beyond the protocol. The SP provides a service, the IdP is responsible for user authentication. There seems to be no place for a 3rd party service between the two.
I guess you control (at least) either the SP or the IdP. Try to implement your survey (or whatever) at the provider you control.
As an alternative, you could try to implement your own IdP including a survey (or whatever) that uses the original IdP for authentication.
Related
Let's say we have a service provider app called A hosted on tomcat, a user clicks a link to the SP A. SP A sees no token is provided so it redirects the user to the IdP for authentication (with a SAML Authn request provided by some means). The IdP then redirects the user to some common login page where credentials are provided, assuming that these credentials are correct the IdP creates a SAML response with a token and some assertions about the subject, and sends it back to SP A. SP A sees this and allows the user access into the application. Great!
I have a few questions though
How is the authorisation request/response sent, I understand there is a redirect binding and a POST binding where the SAMLResponse and request are encoded either as a query param, or sent as an XHTML form in case of a POST binding. But I'm not sure which is used where?
A service provider is the thing providing a service, so Office 365 or Sales force for example. Is each one a separate service provider? I ask as I watched a video where the guy said the service provider was the thing that hosted these services, so I'm not sure of the correct answer here?
How is the token stored on the client side? So for example I am now authenticated against SP A, the user then tries to use SP B from the same machine/browser window, how does SP B and the IdP know that the user has already authenticated and therefore doesn't need to re-authenticate. I.e. the SSO aspect of it.
Does SP B need to be hosted on the same tomcat instance for this to work?
I dedicated significant time to get SSO working for me. The most helpful document was this specification
The answers below are based on this experience:
Redirect or Post binding is used depending on a respective HTTP request header. The Post binding is recommended since it does not imply restrictions on data volume transferred.
A Service Provider in this context is anything that clients request. There may be many of them, participating in the same SSO scheme.
The service providers must be SSO-aware, which includes handling of the authentication response data. Usually you don't have to implement the protocol - there are ready-made frameworks that your SP can utilize.
Service Providers may reside on different servers.
From my own experience:
You choose your own SAMLBinding (redirect or post) depending on what your idp and sp supports. This binding type will be used both for the 1st step (SP -> Idp) and 2nd step (IdP -> SP). If you have some running environment, open your browser devtools and look at network tab to see what happens. It's just a way to send data from browser to SP/IdP.
Both Office 365 and Salesforce.com are cloud services, right? Let's take Office 365. it means that beyond "end-user" services (like Word, Excel) there is some technical SSO service which are common to the platform. It can be viewed as lower (or technical) service layers, I think that what you speaker meant.
The SAML token is stored by you SP application inside your browser, either hidden inside web page, cookie or web storage. It depends on how your SP is implemented.
SAML response can be validate by each SP based on shared private key, so it will decrypt the token using this key and be able to grant user without the help of IdP redirection.
Tomcat have some extension to support SAML. But SAML is designed to work without being on the same instance, as the opposite as basic JSESSIONID cookies.
So you have several instances, of course.
I am looking to do IdP Discovery and i need to do this with Pingfederate Software. End Goal here is customers will request access to a resource. Then get redirected to an IdP where they see a logon form ... input their email address and then depending on their email domain they get redirected to another IdP where authentication will take place. SAML Assertion will get posted back and the customer can then access the application.
I know pingfederate has persistent cookie etc but i dont think this will work well. Has anyone tried IdP Discovery in Pingfederate?
The PingFederate Standard IdP Discovery is a cookie based mechanism that identifies the IdP, or matching of entityID to IdP. We have used the OOTB PingFederate capability and found it does work well for certain use cases and business requirements for user experience. This blog describes alternative approaches that are popular within industry to accomplish IdP Discovery. We have found that most service providers tend to use one of the forms of IdP Discovery described in the blog. The real driver for the implementation approach is business requirements for user experience. For PingFederate, if you choose not to use the out of the box cookie mechanism, then you will need to implement one of the other design patterns. I do know that there are Ping System Integration partners that have expertise and implementations of each of the design patterns described.
We want to deeply integrate OneDrive with our web app in order to handle document and storage data. However, we want the users not to log in twice. I'm not sure whether this is possible, but I've been reading about SSO and SAML and it seems like it's the way to go.
Is it possible, and if so, is Single Sign On the way to go?
Single Sign-On (SSO) is a great solution for user experience when web applications are hosted on different domains. SAML as a standard was developed for cross domain authentication to solve this use case. You will need an Identity Provider (IdP) server that handles authentication of users to your web application and then the IdP Server issues SAML assertions to your web application and OneDrive. Your application in this architecture will be a Service Provider (SP) that will consume SAML assertions, as well as OneDrive is a SP that consumes SAML assertions. There are a number of SSO/Federation vendors that provide the IdP Server.
As far as implementation, once you have chosen and installed the IdP Server, you will need to implement your web application to consume the SAML assertion and configure the IdP Server as a connection. OneDrive will simply be a configuration as it already supports SAML and WS-Federation.
In addition to SAML as a protocol, there are other standards with respect to SSO/Federation such as OpenID Connect (OIDC) and OAuth2. When choosing a IdP Server solution you may want to look at these other protocols that can solve additional use cases. SAML works well for web applications and the use case you have described. OIDC and OAuth2 are better suited for secure APIs and native mobile applications.
Another consideration when looking at an IdP Server is how authentication is to be performed. Options for authentication could be using Kerberos/IWA if all clients are on a common domain, or authentication using a Login Form. You may also want to look at MFA support when looking at an IdP Server as part of the SSO solution.
My understanding of the SAML (v2) protocol is that Service Providers should be interacting directly with Identity Providers to exchange authorisation request and assertion messages.
I can think of a number of reasons why this would be a bad idea (undermines message signing, gives intermediate IdP access to info from other IdP), but are there any scenarios supported by SAML that would allows the following arrangement?
SP <------> MainIdP <------> ThirdPartyIdP
So (hypothetically) assuming that MainIdP has some clever way of determining that the SP user needs to authenticate against ThirdPartyIdP, it would delegate to the ThirdPartyIdP and then receive the response, process it and reply to the SP. Does SAML allow this? (I am asking because a software supplier has suggested this approach and I believe it isn't supported, as well as being fundamentally insecure.)
The "correct" approach as I understand it is for the SP to be configured to know about both IdPs independently, and either present the user with a list to pick from, or delegate to a Discovery Service which can ask the user, or infer by some other means, which IdP to use. Is this right?
Thanks.
Most federation identity providers for SAML have the concept of a "Home Realm Discovery" screen.
The SP is "bound" to the MainIdP but the MainIdP presents a screen which shows all the other IDP's that it is federated with. From that list, you pick the ThirdPartyIdP.
I'm implementing a SSO solution with SAML using OpenAM. I'm a very beginner on theses technologies and I need some clarifications.
My progress
For the moment, I have installed a Tomcat hosting OpenAM as an IdP.
Another Tomcat fits as my SP. The WebAgent is installed on it. When trying to reach a protected part of the SP, I am redirected to the IdP logging page. Once my credentials entered, I am finally redirected to the resource. That seems to work well.
My questions
My architecture is just based on a simple SSO, doesn't it ?
How do I activate the SAMLv2 ?
Does OpenAM have to be install on all servers in the circle of trust to allow SAML ? I mean, it seems natural on the IdP, but do I need to put and configure the opensso.war on the SPs ?
The choosen scenario is IdP-Initiated SSO. If the client reaches the IdP Authenticate WS, will it have the SAML assertion ?
Thanks in advance
When using agents, you are actually relying on a more proprietary SSO and not SAML. To be precise: Liberty ID-FF messages wrapped in SAML 1.1
The web agents will never talk using SAMLv2, so you will need to have some sort of SAML SP implementation (Java fedlet/.NET fedlet/SimpleSAMLPHP/Shibboleth SP/etc). To enable SAMLv2 federation you may as well follow the documentation ( http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index.html#chap-federation )
If Authenticate WS means /openam/identity/authenticate REST/JAX-WS endpoint, then the answer is no, but if you correctly initiate a SAMLv2 login on the IdP (by using the idpssoinit endpoint), then the assertion will be presented to the SP, where the SP implementation can perform the necessary validations and extract the actual data out of the assertion.