Can anyone tell me what the exact function of the NameID is in the SAML response?
What does it represent?
Do you typically do something with it when received in the response?
We have done some implementations in the past, but we only use the claims that come along with the attribute assertion.
It's the primary key between two systems.
Two IDP; A and B. The identity repositories underneath these are completely different.
The users in A are completely different to the users in B.
An application is protected with A but B's user's want to use it. So A and B are federated.
A user in B navigates to the app., gets redirected to A, uses Home Realm Discovery to get to B and then authenticates.
NameID is used to pass some attribute (typically email address or UPN) from B to the application. This identifies the user to the application.
Related
I am using AWS cognito for user authentication in the application that I designed. And where ever there is a need for user audit in the application, I have used the id from cognito as if it is a foreign key from another table(I am using a relational DB).
Even though this works, this approach somehow feels improper. Is there any other proper way to design this?
In my application, the user logs in with his email address (common scenario). Hence, by construction the email address is a unique identifier both in cognito and in my database.
My database creates a user id for each new user, and that is the main identifier I use in my app (note that this identifier has nothing to do with cognito).
Cognito also assigns an id to each user (which it calls "username"), but I never reference that id (nor have I ever felt the need to reference it). I have been in production for several years, and I have never regretted this decision.
Upside of not linking user ids:
full flexibility (e.g. I can decide that I want to create a new user Object in my database for a particular cognito user. I can keep the previous user e.g. as a backup, even though it is not linked to the cognito user).
less work: i don't need to make sure the ids in my system are in line with those in cognito.
Downside of not linking user ids:
maybe it's faster to query cognito using the username field than the email field? maybe that could be an advantage for some use cases?
I have some clients that use SAML IDP providers like Okta and Centrify. I just implemented SAML, and I want to know what information should I send to them when they are asking for EntityID. My SP consume url is like app.mycompany.com/saml/consume, I think the EntityID could be the same as the consume URL. My question is if I should send diferent EntityID for each customer. For example for client A something like clientA.app.mycompany.com/saml/consume, for company B something like clientB.app.mycompany.com/saml/comsume.
Thanks for your help.
What you need to send them is the EntityID for your SAML Service Provider. Depending what you have used to implement this, it can be obtained in different ways. If yo have a of the shelf software you usually export a metadatafile where the ID is located inside. If you built it yourself, it depends. This is the ID that you give in the issuer field when you send messages to the IDP.
Here's the problem I am trying to solve (I'm 100% sure I'm asking the "right" question) in my node.js / angularJS web application:
Authenticated members of the app can "invite" anyone with an email address.
Invitees can register using google (OAth 2.0) or with their email address and password.
In either scenario, it's possible that the invitee chooses to register with an email address (either a google one or one they type in) that differs from the email to which the invitation was sent.
I want to associate the two emails, and am having trouble figuring out how to do so.
My current approach:
The URL in the invitation email includes a unique parameter which references the email of the recipient. When that link is followed, I store that parameter using an angular service - the same that I use for storing the user once they are authenticated.
The problem (or at least one of them):
When I call the google authentication and it, subsequently returns the user to my site via the callbackUrl, my angular service instance no longer has a reference to the initial invitee's email, which I assume is expected since I the user left the angular application and then returned. Thus, I can't compare it to the email returned by the google authentication and, if they are different, prompt the user, join them, whatever.
What is the best way to toss that reference I take from the link that first took the user to the site to the other side of the OAuth process?
Or, is there a different approach entirely I should consider?
You would be able to pass a state parameter in your oath request. Google then returns the same parameter back with the oath response:
https://developers.google.com/accounts/docs/OAuth2UserAgent -> paramater: state
Im using DotNetOpenAuth to integrate Google,Yahoo,Twitter and Facebook Logins into my application.
Now everything works as expected.
Twitter returns -> User-name and Claim-identifier(Just Id)
Google returns -> Email-Address, First and last Name and ID(URL+ID)
Yahoo returns -> Email-Address, Alias and ID (Url + ID)
Also im also allowing my users to register internally so my database User table is like this:
ID,UserName,Name,OpenID,LoginType,DisplayName
im wondering what i should be storing as User-Name, i was thinking of the ID, but i have this questions:
Shall i store the whole ID as User-Name ?!
Would it affect performance to store the whole ID(URL) as username?
If i extracted the ID from the Claim-Identifier would it still be unique between all 3 providers?
For OpenID, you must use the ClaimedIdentifier as the ID. Not anything else, and certainly not only a substring from the claimed identifier. Anything else seriously compromises the security of your application.
As far as where you store it, I would recommend you keep a dedicated column for storing your claimed identifier rather than just storing it in your UserName column. Consider this scenario:
A user creates an account with your web site using an OpenID http://SomeOpenIDUrl
An attacker logs in via the username/password form. He leaves the password blank but enters http://SomeOpenIDUrl as the username
The attacker successfully logs in as his victim.
A situation like the above can be mitigated in various ways of course, but the best way IMO is to keep the OpenID out of the username column so that it's completely impossible.
I have an application that uses email addresses for user authentication.
I know that some universities use Shibboleth for user authentication, and I was wondering what the process is for being able to read emails from the university database that is used for Shibboleth. Note that I do not care about authentication through Shibboleth, I only need to be able to read the email addresses.
Is it general for all universities that use Shibboleth, or is each a unique case?
Any links to documentation on how to do this process would be greatly appreciated. Thank you.
Shibboleth can be configured (IdP-side) to release user attributes along with authentication data, for example the user's email address. Client-side, assuming you're going though shibd, you'll need a setting in your attribute-map.xml that says "map attribute with OID x.y.z.a to environment variable USERMAIL" and then you get the result in that environment variable. The example config should already contain it.
This would be the same for everybody insofar as the OID for "email" is always the same, but you'd have to negotiate with the IdPs (universities) or their federations so that they will actually release that attribute to you.
Shibboleth is used by many institutions, but by no means all. Many use Athens, proxies or IP recognition, among other things.
As far as I am aware, a user's email address is not tied directly to the Shib system. When a user tries to access a Shibboleth-protected resource they are taken to their institution's login page to authenticate themselves. They might enter their email address to authenticate or they might enter a username, they might be auto logged-in based on their IP address, or something else.
The institution does send back an affiliation through Shib data transfer upon successful login, something like student#brown.ac.uk but this is not necessarily the email address the user used to login. I guess they could send that but it has not been used in system's I've worked on.
Shibboleth is commonly used to check that the user is from an institution that has purchased access to a protected resource rather than identifying a particular user from that institution so the user's email isn't needed.
Not sure if this helps at all: http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation