how SAML works between an IDP and a SP? - saml-2.0

After successful authentication,which is done by identity provider,How Secure Assertion Markup language 2.0 request is generated for that user and what does it contain?

How the assertion is generated is up to the IDP. What it contains it ultimalty the IDPs decition too.
In the SAML Assertion spec you can read what it can contain. Chapter 2 has a good summary
To know specifically what your IDP provides you would have to talk to them.

Related

Is it good to sign saml assertion before encrypt it?

I would like to ask if I signed the saml response with idp private key and encrypt saml assertion with sp public key. Do I need to sign the saml assertion before encryption? Is it overkill? Do you know any standard from any official doc? Thanks.
Encrypting with the recipient's public key guarantees that only the recipient can read the contents. Anyone can encrypt data with the recipient's public key.
Signing with the sender's private key guarantees that only the real sender could have created the data. Anyone can validate that the data is indeed from the sender.
In SAML the most important thing for an SP is to being able to validate that the assertion is indeed from the IDP and not from some fake source. That can only be done through signing with the IDP's key. That's why signing is mandatory in the SAML standard. Encryption can be used to make sure nobody but the SP can read the contents of the assertion. That is optional in the standard.
For details see chapter 5 in the SAML2 core specification.
The best method is to encrypt and then sign the entire SAML response rather than just the assertion. This method is considered to be most secure and will be more widely accepted by SSO/Federation products.
The reason for signing the entire SAML response is a potential protocol vulnerability, where the origin of the SAML response could not be guaranteed (if the response itself weren't signed).

Is it possible to just parse the SAML assertion response without authenticating with IDP?

I'm facing a problem with validating SAML response where in, its giving digest mismatch. Tried checking it with the certificate's digest value and its showed a different value. I think there is a problem with the certificate or the SAML response but, I'm also wondering whether not having an authentication at the SP level is also a cause for concern since, the client does not want a response back on the IDP, contrary to what the standard setup for SAML dictates. I realize there shouldn't be a setup of this sort due to obvious security concerns but, this was the setup they have requested...
If the SAML assertion is not signed properly, this is a security concern and you should not trust it. By trusting it without validating the digest, you would open your self up to anyone submitting SAML to your ACS URL and being authenticated.

SAML2.0 Assertions vs. SAML2.0 Messages

I need a clarification about the terminology used in SAML2.0. I want to know if by "assertions" we mean a particular subcategory of SAML2.0 messages
or if we mean ALL SAML2.0 messages.
A SAML Assertion is an XML document that represents a set of claims (i.e. name/value pairs) about a user asserted by an Identity Provider. A SAML Assertion is not a SAML message itself, but it is contained in a SAML Response message. Apart from that there are other SAML messages such as SAML Requests, Logout Requests and Logout Responses that don't contain Assertions.

Reusing SAML assertion

I am implementing single sign on with multiple SPs. Here is my basic understanding:
1) Browser(User) requests resource from Service Provider (SP).
2) SP Redirects (with SAML Request) to Identity Provider (IdP).
3) Since it is first login, User gives the (IdP) his/her valid credentials.
4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
Now let's say I have Service Provider A and Service Provider B. A user has completed the step about for Service Provider A. From service provider A (salesforce.com in my scenario), I have written a server-side method which instantiates a callout to an endpoint on Service Provider B. Is it possible to re-use the SAML assertion in this case? I.e. will service provider B trust the backend method?
You would have to customize Service Provider B in order for it to accept, understand and interpret the Assertion obtained by Service Provider A. It would certainly not work out-of-the-box.
The SAML Assertion included in the SAML Response to Service Provider A contains pieces of data which correlate it with the original SAML Request and define recipients of the message (for example using elements SubjectConfirmationData and Audience). The Service Provider B would need to ignore values in these fields, as it is actually not the indented recipient of the Assertion.
The problem of how to broker trust between two machines where user's identity is asserted by an identity provider can be solved with multiple standard approaches. One is to use a Session Token Service (based on WS-Trust) which defines how to request and issue tokens to 3rd party services. Another is to use OAuth 2.0. You could of course also simply authenticate Service Provider A to Service Provider B using a custom scheme with a password, HMAC, ...
The short answer - no if Service Provider B is implemented as a standard SAML 2.0 SP.
SAML 2.0 assertions are "targeted" and signed. They have a specified audience and a recipient URL. You cannot change them without breaking the signature.
The assertion received by SP A contains the name of SP A as audience and the ACS end point of SP A as recipient URL. Such an assertion will not be accepted by SP B.
What prevents you from just calling SP B in a standard way and let it initiate its own SAML 2.0 flow? Another option would be to perform an IDP-initiated SSO flow for SP B. Not all IDP implementations support it though.

Signature Invalid/Configured Certificate Mismatch for SSO with SFDC

I did SSO of OpenAM and SalesForce.com (SFDC)
I have installed OpenAM-Client SDK to retrieve SAML Assertion from OpenAM.
I used this assertion data to generate SAML response required for SalesForce. When I pass this data to SFDC. I got error message for SAML.
“Failed: Signature Invalid/Configured Certificate Mismatch”
I used same certificate and signature data which I got from OpenAM-client SDK public API assertion.
At time of SSO configuration with SDFC. I used default certificate (test cert) provided by OpenAM.
Is there any way to retrieve test certificate and its signature from OpenAM ?
Run one of the failing SAML assertions through the SAML Validation tool inside Single Sign-On Settings in SFDC; you should get a slightly more useful error. The most likely cause of this is that you have not uploaded the correct certificate to SFDC as part of your SSO setup. Make sure the "Identity Provider Certificate" section of "Single Sign-On Settings" matches the cert contained in the assertion.

Resources