Saml authentication что это
Saml authentication что это
Traditionally, enterprise applications are deployed and run within the company network. To obtain information about users such as user profile and group information, many of these applications are built to integrate with corporate directories such as Microsoft Active Directory. More importantly, a user’s credentials are typically stored and validated using the directory. For example, if you use SharePoint and Exchange that are running on-premises, your sign-in credentials are your Active Directory credentials.
However, with increased collaboration and the move towards cloud-based environments, many applications have moved beyond the boundaries of a company’s domain. Federated Authentication is the solution to this problem.
Authentication
Before looking at federated authentication, we need to understand what authentication really means. Authentication defines the way a user is identified and validated through some sort of credentials as part of a sign-in flow. Most applications present a sign-in page to an end user, allowing the user to specify a username and a password. In some cases, additional information may be required to locate the user, like a company ID or a client code. This information allows the application to narrow down the search of the username applicable to the provided info. This is often used to allow the same username to exist across multiple tenants belonging to different customers.
Most applications have a user store (DB or LDAP) that contains, among other things, user profile information and credentials. When a user signs in, the credentials are validated against this user store. The advantage of this simple approach is that everything is managed within the application, providing a single and consistent way to authenticate an end user. However, if a user needs to access multiple applications where each one requires a different set of credentials, it becomes a problem for the end user. First, the user needs to remember different passwords, in addition to any other corporate password (for example, their AD password) that may already exist. The user is now forced to maintain separate usernames and passwords, and must handle different password policies and expirations. In addition, this scenario also creates a headache for administrators and ISVs when application users continue to have access to applications that should have been revoked.
Federated Identity
Federated Identity started with the need to support application access that spans beyond a company or organization boundary. Imagine a relationship between a juice company (JuiceCo) selling its product to a large supermarket chain (BigMart). As an employee of JuiceCo, you need to access an application provided by BigMart to manage the relationship and monitor supplies and sales.
A more elegant way to solve this problem is to allow JuiceCo and every other supplier to share or «federate» the identities with BigMart. As an employee of JuiceCo, you already have a corporate identity and credentials. What Federated Identity provides is a secure way for the supermarket chain (Service Provider) to externalize authentication by integrating with the existing identity infrastructure of its suppliers (Identity Provider).
This type of use case is what led to the birth of federated protocols such as Security Assertion Markup Language (SAML)
(opens new window) for a more in-depth overview.
Planning for SAML
SAML is mostly used as a web-based authentication mechanism as it relies on using the browser agent to broker the authentication flow. At a high-level, the authentication flow of SAML looks like this:
We are now ready to introduce some common SAML terms. We will go into the technical details of these later, but it is important to understand the high-level concept during the planning stage.
A Service Provider (SP) is the entity providing the service, typically in the form of an application.
An Identity Provider (IdP) is the entity providing the identities, including the ability to authenticate a user. The Identity Provider typically also contains the user profile: additional information about the user such as first name, last name, job code, phone number, address, and so on. Depending on the application, some service providers may require a very simple profile (username, email), while others may require a richer set of user data (job code, department, address, location, manager, and so on).
A SAML Request, also known as an authentication request, is generated by the Service Provider to «request» an authentication.
A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user. In addition, a SAML Response may contain additional information, such as user profile information and group/role information, depending on what the Service Provider can support.
A Service Provider Initiated (SP-initiated) sign-in describes the SAML sign-in flow when initiated by the Service Provider. This is typically triggered when the end user tries to access a resource or sign in directly on the Service Provider side, such as when the browser tries to access a protected resource on the Service Provider side.
An Identity Provider Initiated (IdP-initiated) sign-in describes the SAML sign-in flow initiated by the Identity Provider. Instead of the SAML flow being triggered by a redirection from the Service Provider, in this flow the Identity Provider initiates a SAML Response that is redirected to the Service Provider to assert the user’s identity.
A couple of key things to note:
The Service Provider never directly interacts with the Identity Provider. A browser acts as the agent to carry out all the redirections.
The Service Provider needs to know which Identity Provider to redirect to before it has any idea who the user is.
The Service Provider doesn’t know who the user is until the SAML assertion comes back from the Identity Provider.
This flow doesn’t have to start from the Service Provider. An Identity Provider can initiate an authentication flow.
The SAML authentication flow is asynchronous. The Service Provider doesn’t know if the Identity Provider will ever complete the entire flow. Because of this, the Service Provider doesn’t maintain any state of any authentication requests generated. When the Service Provider receives a response from an Identity Provider, the response must contain all the necessary information.
Planning checklist
While the SAML protocol is a standard, there are different ways to implement it depending on the nature of your application. The following is a checklist that will guide you through some of key considerations.
Understanding the role of a Service Provider
Single IdP vs multiple IdPs
Understanding SP-initiated sign-in flow
Exposing SAML configuration in SP
Enabling SAML for everyone vs a subset of users
Implementing a «backdoor»
Understanding the role of a Service Provider
A SAML IdP generates a SAML response based on configuration that is mutually agreed to by the IdP and the SP. After receiving the SAML assertion, the SP needs to validate that the assertion comes from a valid IdP and then parse the necessary information from the assertion: the username, attributes, and so on.
To do this, the SP requires at least the following:
The easiest way to implement SAML is to leverage an OpenSource SAML toolkit. We have included a list at the end of this article of recommended toolkits for several languages. These toolkits provide the logic needed to digest the information in an incoming SAML Response. In addition, if the SP needs to support the SP-initiated sign-in flow, the toolkits also provide the logic needed to generate an appropriate SAML Authentication Request.
Single IdP vs multiple IdPs
If you are building an internal integration and you want to SAML-enable it to integrate with your corporate SAML identity provider, then you are looking at supporting only a single IdP. In this case, your integration only needs to deal with a single set of IdP metadata (cert, endpoints, and so on).
If you are an ISV building an enterprise SaaS product, or if you are building an external facing website/portal/community for your customers and partners, then you need to look at supporting multiple IdPs. This is the typical use case for many SaaS ISVs that need to integrate with customers’ corporate identity infrastructure. Depending on the architecture of your application, you need to think about ways to store the SAML configuration (Certificates or IdP sign-in URLs, for example) from each identity provider, as well as how to provide the necessary SP information for each.
A key consideration involves the ACS URL endpoint on the SP side where SAML responses are posted. It is possible to expose a single endpoint even when dealing with multiple IdPs. For a single-instance multi-tenant application where the tenancy isn’t defined in the URL (such as when using a subdomain), this might be a simpler way to implement. However, you must then rely on additional information in the SAML response to determine which IdP is trying to authenticate (for example, using the IssuerID). If your application is set up in a multi-tenant fashion with domain information in the URL (for example, using either https://domain1.example.com or https://www.example.com/domain1 ), then having an ACS URL endpoint for each subdomain might be a good option since the URL itself identifies the domain.
Understanding SP-initiated sign-in flow
As discussed earlier, an IdP-initiated sign-in flow starts from the IdP. Since it begins on the IdP side, there is no additional context about what the user is trying to access on the SP side other than the fact that the user is trying to get authenticated and access the SP. Typically, after the user is authenticated, the browser will be taken to a generic landing page in the SP.
In an SP-initiated flow, the user tries to access a protected resource directly on the SP side without the IdP being aware of the attempt. Two issues arise. First is the need to identify the right IdP if authentication of a federated identity is needed. With SP-initiated sign in, the SP initially doesn’t know anything about the identity. As a developer, you need to figure out how the SP can determine which IdP should be receiving the SAML request. In some cases, if your application URLs contain subdomain information that is mapped to a unique tenant and IdP, then the resource link being hit is enough to identify the IdP. If this isn’t the case, then you might need to prompt the end user for additional information from the end user such as user ID, email, or a company ID. You need something that allows the SP to identify which IdP the user attempting to access the resource belongs to. Remember, you are only prompting for an identifier, not credentials. Okta also supports passing the identifier to the IdP with parameter «LoginHint», so that the user doesn’t need to input the identifier again when redirected to IdP to sign in. For instruction to trigger Okta to send the «LoginHint» to IdP, see Redirecting with SAML Deep Links.
Another issue with SP-initiated sign-in flow is the support for deep links. Most applications support deep links. For example, you might receive a link to a document that resides on a content management system. Ideally, if you need to authenticate prior to accessing the document, you would like to be taken to the document immediately after authentication.
SAML is an asynchronous protocol by design. The SP-initiated sign-in flow begins by generating a SAML Authentication Request that gets redirected to the IdP. At this point, the SP doesn’t store any information about the request. When the SAML response comes back from the IdP, the SP wouldn’t know anything about the initial deep-link that triggered the authentication request. Luckily, SAML supports this with a parameter called RelayState.
A RelayState is an HTTP parameter that can be included as part of the SAML request and SAML response. In an SP-initiated sign-in flow, the SP can set the RelayState parameter in the SAML request with additional information about the request. A SAML IdP, after receiving the SAML request, takes the RelayState value and simply attaches it back as an HTTP parameter in the SAML response after the user has been authenticated. This way, when the round trip completes, the SP can use the RelayState information to get additional context about the initial SAML authentication request.
In the case of a deep link, the SP sets the RelayState of the SAML request with the deep-link value. When the SAML response comes back, the SP can use the RelayState value and take the authenticated user to the right resource.
For instructions to construct a deep link for SAML IdPs, see Redirecting with SAML Deep Links.
Exposing SAML configuration in SP
As discussed before, the SP needs the IdP configuration to complete the SAML setup. While many ISVs choose to do this through support and email, the better way to do this is by exposing a self-service administrator page for your customer’s IT administrator to enable SAML. SAML supports metadata on both the IdP and SP side. One way to configure the IdP/SP relationship on the SP side is to build the ability to receive an IdP metadata file and the ability to generate an SP metadata file for consumption by the IdP. This is the preferred method.
However, some ISVs choose to allow configuration of several key SAML parameters directly rather than through a metadata file. Typical parameters would include the IdP redirect URL (for SAML Request), IssuerID, IdP Logout URL. The SP must also allow the IdP public certificate to be uploaded or saved.
Using a metadata file is preferred because it can handle any future additions/enhancements in your SAML support without making UI changes that would otherwise be required if you expose specific SAML configuration parameters in your UI.
Enabling SAML for everyone vs a subset of users
Depending on the nature of your application, there might be reasons to allow only a subset of users to be SAML enabled. Imagine an application that is accessed by internal employees and external users like partners. The employees may use SAML to sign in into the application, while the external users may use a separate set of credentials.
Even in cases where the intent is to have all the users of a particular tenant be SAML-enabled, it might be useful to enable just a subset of users during proof-of-concept, testing and roll-out to test out authentication with a smaller subset of users before going-live for the entire population.
Implementing a «backdoor»
Важным вариантом использования SAML является система единого входа в веб-браузере (SSO). Единый вход в систему относительно легко выполнить в пределах домена безопасности (например, с помощью файлов cookie ), но распространение единого входа на домены безопасности сложнее и привело к распространению несовместимых проприетарных технологий. Профиль SSO веб-браузера SAML был определен и стандартизирован для обеспечения взаимодействия.
СОДЕРЖАНИЕ
Обзор
В основе утверждения SAML лежит субъект (участник в контексте определенного домена безопасности), о котором что-то утверждается. Субъект обычно (но не обязательно) человек. Как и в «Техническом обзоре SAML V2.0», термины «субъект» и «принципал» в этом документе взаимозаменяемы.
Перед доставкой субъектного утверждения поставщику услуг IdP может запросить некоторую информацию от принципала, такую как имя пользователя и пароль, для аутентификации принципала. SAML определяет содержание утверждения, которое передается от IdP к SP. В SAML один поставщик удостоверений может предоставлять утверждения SAML многим поставщикам услуг. Точно так же один SP может полагаться на утверждения многих независимых IdP и доверять им.
История
OASIS безопасности Технический комитет Услуги (ГКНТ), которые встретились в первый раз в январе 2001 года, был зафрахтован « чтобы определить структуру XML для обмена аутентификации и авторизации информации.» С этой целью в течение первых двух месяцев этого года в SSTC была передана следующая интеллектуальная собственность:
Основываясь на этих первоначальных вкладах, в ноябре 2002 года OASIS объявил о спецификации Security Assertion Markup Language (SAML) V1.0 в качестве стандарта OASIS.
Версии
Начиная с версии 1.0 SAML претерпел одну незначительную и одну основную редакцию.
Liberty Alliance внесла свою Identity Federation Framework (ID-FF) в OASIS SSTC в сентябре 2003 года:
Версии 1.0 и 1.1 SAML похожи, хотя и существуют небольшие различия. Однако различия между SAML 2.0 и SAML 1.1 существенны. Хотя эти два стандарта относятся к одному и тому же варианту использования, SAML 2.0 несовместим со своим предшественником.
Хотя ID-FF 1.2 был внесен в OASIS в качестве основы SAML 2.0, между SAML 2.0 и ID-FF 1.2 есть некоторые важные различия. В частности, две спецификации, несмотря на их общие корни, несовместимы.
Дизайн
SAML построен на ряде существующих стандартов:
Утверждения
Утверждение SAML содержит пакет информации о безопасности:
Грубо говоря, полагающаяся сторона интерпретирует утверждение следующим образом:
Утверждение был выдан в момент времени т эмитентом R относительно предмета S если условия С справедливы.
Утверждения SAML обычно передаются от поставщиков удостоверений поставщикам услуг. Утверждения содержат утверждения, которые поставщики услуг используют для принятия решений по управлению доступом. SAML предоставляет три типа операторов:
Заявления об аутентификации подтверждают поставщику услуг, что принципал действительно аутентифицировался у поставщика удостоверений в определенное время с использованием определенного метода аутентификации. Другая информация об аутентифицированном участнике (называемая контекстом аутентификации ) может быть раскрыта в заявлении аутентификации.
Протоколы
В соответствии с тремя типами операторов существуют три типа запросов SAML:
Помимо запросов, SAML 1.1 не определяет никаких других протоколов.
Привязки
SAML 2.0 полностью отделяет концепцию привязки от основного профиля. Фактически, в SAML 2.0 есть совершенно новая спецификация привязки, которая определяет следующие автономные привязки:
Эта реорганизация обеспечивает огромную гибкость: взяв в качестве примера только систему единого входа в веб-браузере, поставщик услуг может выбрать одну из четырех привязок (HTTP Redirect, HTTP POST и два варианта HTTP Artifact), в то время как поставщик удостоверений имеет три варианта привязки (HTTP POST плюс две формы HTTP-артефакта), всего двенадцать (12) возможных развертываний профиля SSO веб-браузера SAML 2.0.
Профили
Помимо профиля системы единого входа веб-браузера SAML, некоторые важные сторонние профили SAML включают:
Безопасность
Спецификации SAML рекомендуют, а в некоторых случаях предписывают использование различных механизмов безопасности:
Требования часто формулируются в терминах (взаимной) аутентификации, целостности и конфиденциальности, оставляя выбор механизма безопасности для разработчиков и разработчиков.
Использовать
В SAML 1.1 поток начинается с запроса к службе межсайтовой передачи поставщика удостоверений на шаге 3.
На обратном канале SAML указывает использование SOAP 1.1. Однако использование SOAP в качестве механизма привязки необязательно. Любое конкретное развертывание SAML выберет подходящие привязки.
How SAML Authentication Works
Learn what SAML is and how to set up a SAML identity provider
Holly Guevara
Developer Content Manager
Last Updated On: October 07, 2021
How SAML Authentication Works
Learn what SAML is and how to set up a SAML identity provider
Holly Guevara
Developer Content Manager
Last Updated On: October 07, 2021
In this article, you’ll learn what SAML is, how it works, and how you can configure a SAML identity provider using Auth0.
What is SAML
Before jumping into the technical jargon, let’s look at an example that demonstrates what SAML is and why it’s beneficial.
You just started working at a new company, Wizova. They’ve given you a work email address and access to a dashboard. Once you sign in to this dashboard, you’re presented with the icons of all of the external services the company uses: Salesforce, Expensify, Jira, AWS, and more.
You click on the Salesforce icon, some magic happens in the background, and before you know it, you’re signed into Salesforce without ever entering any credentials!
As you might have guessed, the «magic» was actually SAML in action. So what’s going on here?
SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).
Identity Provider — Performs authentication and passes the user’s identity and authorization level to the service provider.
Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource.
In the scenario above, the identity provider would be the IdP that Wizova uses, Auth0. The service provider would be Salesforce. The Wizova employee signs into the Wizova dashboard with Auth0. They click on the Salesforce icon, and Salesforce recognizes that the user wants to log in via SAML. Salesforce sends the employee back to Auth0 with a SAML Request that asks Auth0 to authenticate the user. Since the employee has already authenticated with Auth0, Auth0 verifies the session and sends the user back to Salesforce with a SAML Response. Salesforce checks this response, and if it looks good, the employee is granted access!
Benefits of SAML Authentication
Improved User Experience — Users only need to sign in one time to access multiple service providers. This allows for a faster authentication process and less expectation of the user to remember multiple login credentials for every application. In the example above, that user could have clicked on any of the other icons in their dashboard and been promptly logged in without ever having to enter more credentials!
Increased Security — SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity information to the service providers. This form of authentication ensures that credentials are only sent to the IdP directly.
Loose Coupling of Directories — SAML doesn’t require user information to be maintained and synchronized between directories.
Reduced Costs for Service Providers — With SAML, you don’t have to maintain account information across multiple services. The identity provider bears this burden.
How does SAML Authentication Work?
Now that you’ve seen the high-level overview of how SAML authentication works, let’s look at some of the technical details to see how everything is accomplished.
SAML single sign-on authentication typically involves a service provider and an identity provider. The process flow usually involves the trust establishment and authentication flow stages.
Consider this example:
Note: The identity provider could be any identity management platform.
Now, a user is trying to gain access to Zagadat using SAML authentication.
This is the process flow:
SAML Process Flow diagram
Note the attributes that are highlighted in the SAML request and response. Here’s a glossary of these parameters:
SAML Authentication with Auth0
When it comes to implementing SAML, Auth0 is extremely extensible and able to handle several scenarios:
For this example, you’ll learn how to implement SAML authentication using Auth0 as the identity provider.
«When implementing SAML, Auth0 can serve as the identity provider, service provider, or both!»
Tweet This
Prerequisites
The following image shows a list of the service providers Auth0 supports out-of-the-box, but you also have the option of configuring a custom service provider in the dashboard.
Configure the service provider
This tutorial will use Zendesk as the service provider, but you can follow along with any SP of your choosing.
To configure your chosen service provider, run through the following steps in your Auth0 dashboard:
5. Follow the instructions under Tutorial for your specific service provider
Note: This step will require you to input some values on the service provider’s side.
Here’s what that looks like for Zendesk.
First, go into the Admin Center in the Zendesk dashboard and click on Security. Next, click on SSO, and you’ll find the SAML configuration settings. This is where you’ll paste in those values from the Auth0 dashboard.
Once these values are copied over, the last step is to enable external authentication for the users that should be able to login with SAML. Zendesk allows you to enable this for end-users, staff users, or both.
Test it out
Now that everything is set up on both ends, it’s time to test it out! See the video below for a demonstration of what the final flow should look like.
As you can see, once you go to your Zendesk URL, you’re redirected back to Auth0, the identity provider, to sign in. Once authenticated, Auth0 sends this information back to Zendesk. Zendesk verifies the response, determines it valid, and grants you access to your Zendesk dashboard.
Note: You may have noticed that in the video, the user signed in with Google SSO. This can be enabled in the Auth0 dashboard. You’ll see how to implement this in the next section.
If you go back to your Auth0 dashboard, you’ll now see a record of the user that just signed in!
Note: If you’d like to debug a SAML response, check out http://samltool.io. This tool can decode a SAML response and serves as a useful debugging resource.
Enable SSO (optional)
Now that your service provider is set up with Auth0, your users can sign in using an email and password by default. A common use case, especially with SAML authentication, is to have users sign in using single sign-on (SSO) with a social provider.
Auth0 supports several social identity providers that you can enable with the click of a button.
In your dashboard, click on Connections > Social in the sidebar. Select the provider you’d like to use and fill in the details required for that provider.
Note: Make sure you use your own keys for the selected provider. You may use the default Auth0 developer keys for testing, but they should not be used in production.
Once you’ve selected the social connections you want to use, go back to the SP you configured under SSO Integrations. Select the SP, and under Connections, you should see the social connection you just created. Click on the switch to enable it, and now your users are ready to sign in with any of the connections listed!
More Auth0 SAML Configurations
Auth0 is adaptable when it comes to SAML configuration. Here are some of the other ways you can configure Auth0:
Conclusion
You have covered how SAML authentication works, the benefits SAML provides, and how to implement SAML with Auth0 as the identity provider. If you have any questions, feel free to reach out below!