SAML Response authentication - salesforce

Scenario:
Browser(User) requests resource from Service Provider (SP).
SP Redirects (with SAML Request) to Identity Provider (IdP).
Since it is first login, User gives the (IdP) his/her valid credentials.
IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
Application has a link to different application. The Second application needs to validate the user credentials with the same IdP.
User clicks on that link and browser opens the second application. Browser contains the same SAML response from SP.
In Step 5 how can I authenticate the user with SAML response and allow the user to be logged in automatically.
Do I need another SP?
I will not be able to use the SP from step 1 as it is external application.
Appreciate your help

If the second application is in a different administrative domain, it should be done through its own SAML SP starting another SAML request/response exchange with the IDP. If it is in the same domain you may be able to pass an intra-domain credential such as a cookie between the first application and the second (or rely on full SAML as well). You would never reuse the same SAML response because that is meant to be one-time use only.

Related

How to do Non Interactive User Login from browser for SAML SSO flow between IDP and SP

I am unable to find Api's on implementing SAML authentication flow for the SP Application programmatically without user's to manually enter their credentials on SAML compliant IDP( SAP IAS) login screen configured for the SP application as a starting point , I have established the trust between the the IDP and SP application ,trying to implement non interactive login from browser , is there any way to implement this approach.
According to the saml standards you can't send password via saml authn request, therefore you will not be able to authenticate from idp without redirecting to idp login using saml. But if you have control over idp you can implement a shared cookie concept to achve this requirement, but then this is no more saml compliant.
SAML was never designed for machine-to-machine authorization. The closest (IMO) that you can safely get while staying inside intended usage and specs is passing a SAML assertion wrapped in a WS-Trust STS transaction.
I would suggest you look into either WS-Trust or OAuth. Either of these are built for machine-to-machine transactions.

Actual flow of SP initiated SAML SSO that includes all the components ie IDP, SP client side and SP server side

I am using keycloak as IDP, jersey rest services as backend and angular UI as frontend where my backend and frontend are separate application running on the same tomcat server.
Every example I found on the internet uses complete backend for SP initiated SAML SSO. I don't understand where does frontend contribute or how is frontend protected.
As when we talk about open id SSO protocol I found out that user agent calls frontend application which redirects user to IDP and gets the code and passes it on to backend. Backend does all the validation of the tokens.
So I had some questions
Is the flow in SAML same as open id if we have a frontend application?
Can frontend application produce SAML request and redirect user to the IDP?
After successful authentication IDP redirects to backend or to frontend?
How are services protected and where is the SAML assertion validated?
Is the flow in SAML same as open id if we have a frontend application?
more or less. User goes to front end application, is denied access as they don't have a valid session with the application.
Can frontend application produce SAML request and redirect user to the IDP?
yes. It would need to create a SAMLRequest containing an AuthNRequest and POST it to the SP.
After successful authentication IDP redirects to backend or to
frontend?
more or less. The IdP checks the SP Attribute Consumer Service (ACS) url in the metadata first. If it doesn't match, it refuses to send the SAMLResponse to the SP.
How are services protected and where is the SAML assertion validated?
It's up to the SP. If the user doesn't have a valid session at the application, they need to be redirected to the IdP and the application must validate the SAMLResponse and create a valid session for the user based on the attributes in that response.
Validation is done via X509 certificates contained in SAML metadata. It's complex stuff though.

How IDP connects to End point application in SSO?

This is the 1st time I am working in SSO with SAML.And we are going to use the HTTP Post method and the IDP is salesforce. I got below Steps from net.
User accesses a custom application for the first time
Service Provider Security Filter checks if the security context is available
and redirects the user to IDP with a SAML SSO request
IDP challenges the user with the authentication dialog and redirects the user to
Request Assertion Consumer Service (RACS) after the user has authenticated
RACS validates the response from IDP, establishes a security context and redirects the user
to the original application endpoint
Service Provider Security Filter enforces that a valid security context is available and lets the user access the custom application.
Here my Question is IDP needs to authenticate application endpoint. Here the SAML plays between common web page to IDP to initiate SAML request/response. Then how the IDP connect to endpoint? Is that follow any other language to connect and authenticate endpoint? else how it connects? Could you please someone explain the concept?
During configuration of SAML at your Identity Provider, you define an AssertionConsumer endpoint, which is an URL at your application where you expect to receive response from the IDP. After authentication, IDP connects to this endpoint by sending a SAML Response message to it. IDP typically authenticates to the endpoint by digitally signing the SAML message, which you then verify for validity and trust.
The ways of sending SAML messages between IDP and SP (= connecting IDP to the endpoint) are called bindings. Bindings define how exactly to use existing protocols (such as HTTP) to deliver SAML messages, i.e. it tells what parameters should be sent, which HTTP method should be used... Bindings are part of the SAML 2.0 standard and you can find details on how they function in the SAML 2.0 specification.
The IDP does not directly communicate with the original URL within your application (i.e. the "original application endpoint"). The process of sending user to the correct destination after successful verification of the SAML Response (received at the Assertion Consumer endpoint) can be fully determined by you. For example, in case Assertion Consumer endpoint and the "original application endpoint" are part of the same application and share the security context, you can simply send an HTTP redirect, without need for SAML in this "last mile".

SAML indendity propagation

In my scenario I have the following architecture elements:
- SAML secured Portal (Domain A)
- User
- SAML secured API( Domain B, so different domain than the portal)
- an IdP
The user will login first to the portal, when not authenticated, the portal will redirect him to the identity provider to login. Once logged in to the IdP and hence to the Portal, the Portal will possess a SAML token identifying the user.
Now this portal will need to automatically call the API (present on another domain), and pass to it a SAML token identifying the user. Problem is that the portal only posses the token that has been provided to him, and hence my question:
How can I propagate the identity of the user through the invocation chain?
For instance, is it possible to share same token between different relying parties? If yes, what are the constraints that the issued token should respect to make sure it can be "shared" by different entities?
Many thanks in advance!
One way could be that the portal rather than calling the API directly, instead should redirect the user to the API.
This way the API will find the user doesn't have a valid session, will redirect to the IdP where the user is already authenticated. The IdP will then redirect back to the API with the SAML response for the API.
This will all be transparent to the user, who will just see the result from the API.

How does IdP identify if the user has a security context

I have a basic question regarding SAML2. Typical flow is that user requests a resource from SP that is protected. SP checks if the user has a security context (say cookie ?), if it does not find a security context, it constructs the AuthRequest and then redirects the browser to the IdP. Now IdP likewise first checks if the user has an existing security context. How does the IdP do this? Does the IdP also use a cookie for this purpose?
Yes. For SAML Web SSO Profile the session is almost always kept as a cookie in the browser at the IDP and SP. However, there are no rules on how to manage this. The IDP could choose to not keep an active session and prompt the user to login for each SSO transaction.
Ian
#Ian - Great Answer. However if the IDP does not maintain a session cookie [B/W Browser and Identity Provider (IDP)] than you miss out on a significant benefit of single sign on (SSO). The SSO User Experience (UX) feature that would be lost is described in the following scenario:
0) Assume IDP is registered with Google Apps and Salesforce.
1) Open Browser. NOTE: SAML is browser based. You need a browser for SAML to work.
2) Try to go to Google Apps; (you have no existing session cookie [B/W Browser and Google Apps]) who then Re-directs you to the IDP.
3) You sign on with your valid IDP credentials.
4) the IDP then stores a session cookie [B/W Browser and IDP] in your browser. (This is the step that #Ian mentioned can be skipped by the IDP)
5) The IDP then redirects you back to Google Apps (via HTTP POST) with SAML token embedded in the POST. You are now in Google Apps. (Now you have a session cookie [B/W Browser and Google Apps] stored on your browser)
5) Try to go to Salesforce.
6) Salesforce sees you have no active session cookie[B/W Browser and Salesforce], so they redirect you to the IDP.
* here is my point of added User Experience (UX) *
7) The IDP will look for a session cookie [B/W Browser and IDP], if the IDP is configured to not store maintain one you have to enter your Single Sign On (SSO) aka IDP Credentials AGAIN.
Discussion on Step7: Entering the SSO credentials for each separate service an extra-step times the number of services you are using. I think the main draw of the implementation is to enter credentials only once and get access to everything (the topic of security aside). However if the IDP does not store a session cookie [B/W Browser and IDP] you are still only using one set of credentials (instead of separate credentials for each service), so life is still easier.
#Ajava - You seem to be confused as to how cookies are used. I hope you can follow my steps above and get better idea of how cookies are used with SAML.
Here is also a good link i found that explains cookies: http://lifehacker.com/5461114/fact-and-fiction-the-truth-about-browser-cookies

Resources