SAML 2.0 security token - authorization

I have a web application which uses an identity provider for authentication in accordance with SAML 2.0 protocol.
Does this web application (service provider) have to validate a security token (provided by IdP when an user log in the web application) for each web server request.
In my opinion, there is no need to validate security token for each server request. The SAML protocol requires token validation only in necessary cases (authentication, authorization).
Am I right or od I have to implement token validation for each web server request?

No, the service provider does not need to validate the SAML assertion for every request.
SAML assertion contains information about the user, such as who the username is, how the user is authenticated by identity provider, and so on. Once the service provider obtains this SAML assertion from identity provider, it verifies the SAML assertion, and log-ins the user to the service provider. Once the user is logged-in, the user only needs to use the same authenticated session to access protected resource at the service provider. The user does not have to send SAML assertion.

Related

Is possibile SAML authentication with login form in service provider page?

I think this scenario :
Authentication with IDP Provider by rest api passing username, password and a saml request , Is it possibile?
I would like to have my web application which have the page with login and password, on submit we invoke IDP rest api (send username, password, saml request)
s possible to have login form in our page and "invoke" an IDP via rest api and receive saml response by IDP endpoint?
Will Single Sing on work in this way?
Thanks :-)
Image authentication Flow
Is this https://docs.axway.com/en-US/bundle/SecureTransport_55_DeveloperGuide_allOS_en_HTML5/page/Content/DevelopersGuide/restAPI/SSO_REST_API.htm my solution?
Thanks
[07/02/2023] Solved:
No Sso with The resource owner password credentials (ROPC) flow
The OAuth 2 resource owner password credentials (ROPC) grant allows an application to sign in the user by directly handling their password. In your desktop application, you can use the username/password flow to acquire a token silently.
Constraints for ROPC
The following constraints apply to the applications using the ROPC flow:
Single sign-on is unsupported.
Multi-factor authentication (MFA) is unsupported.
Check with your tenant admin before using this flow - MFA is a commonly used feature.
Conditional Access is unsupported.

Is SAML an Authentication mechansim?

Is SAML an authentication mechansim. ? I have seen this being written in many places.
As per my understanding SAML is not an authentication mechanism but a way to exchange authentication and authorization data between a service provider and an identity provider. ?
Both Service provider and identity provider have to be SAML compliant or basically understand SAML to take part.
Authentication can be done by any means like oAuth, Form etc. and then SAML exchange happens.
Best Regards,
Saurav
Actually SAML is a internet standards based technology to achieve web-based single on.
The actual authentication, which happens at the SAML IdP is out of scope of the specification.
However sometimes implementors do no accurately distinguish between SSO and authentication.
Chapter 1 from SAML Technical Overview, a document published in 2008 and still a good read:
The Security Assertion Markup Language (SAML) standard defines a
framework for exchanging security information between online business
partners.
...and then Chapter 4 in the same doc
SAML consists of building-block components that, when put together,
allow a number of use cases to be supported. The components
primarily permit transfer of identity, authentication, attribute, and
authorization information between autonomous organizations that have
an established trust relationship
SAML (Security Assertion Markup Language) is an identity federation protocol.
(1) Traditionally a web application utilizes a local data storage (such as MySQL which is used to store username/password credentials) to accomplish the login authentication.
On the other hand, a web application can leverage a third-party SAML Identity Provider (IdP) to accomplish the login authentication if the web application has been integrated with a SAML Service Provider (SP).
(2) Usually a SAML IdP utilizes identity repository (such as OpenLDAP) to provide identity authentication for a SAML SP-enabled web application.
(3) A web application, which has been integrated with a SAML SP, outsources login authentication to a SAML IdP.
Without loss of generality, we assume that the SAML IdP has been configured with OpenLDAP.
A typical SAMP SP-intitiated authentication procedure can be described below.
(I) A user launches a web browser to access a SAML SP-enabled web application.
(II) The user is redirected to a SAML IdP which will prompt username/password login screen.
SAML SP sends a SAML request to SAML IdP.
(III) The user submits the username/password credential.
(IV) The SAML IdP leverages OpenLDAP to validate the username/password credential.
(V) The user is redirected back and logged in to the web application if the user has been authenticated by OpenLDAP successfully.
SAML IdP sends a SAML response token to federate the user identity (such as username) to SAML SP-enabled web application.
(4) How to build and run Shibboleth SAML IdP and SP using Docker container demonstrates how a SAML IdP utilizes OpenLDAP to provide identity authentication and then federates the user identity (such as username) to a SAML SP-enabled web application, thus accomplishing the login authentication for the web application.

Silent SAML authentication?

I'm trying to authenticate users with the SAML protocol.
So far I have two applications in two different identity providers (Auth0 and OneLogin) to test. I also have my service provider.
What I'm trying to do is authenticate users without redirecting them to any Identity Provider login form.
Something like this:
The user tries to log in to my application (made in React)
My server provider receives the request made by the user and sends
the credentials (username and password) to an identity provider
using the SAML protocol.
The identity provider validates the credentials, if they are
correct, return a SAML assertion to my server provider; otherwise,
it will return an error.
Depends on the identity provider's response if the content is sent
to the user or not.
I know that it is not the intended use of SAML, but I want to know if there is a way to do it and how it will be possible.
Any help or advice will be well received, thank you.
That's not how SAML works and I'm not aware of any SAML identity providers that accept the user's name and password.
It is possible to include the user's name in the SAML authn request sent to the identity provider but there's no provision for including a password.
I think there are a number of security considerations if you were to prompt a user for their credentials for one web site (ie the identity provider) at a different web site (ie service provider).
Using SAML SSO, if the user isn't already authenticated at the identity provider, it will prompt the user to login.

WSO2 Idp initiated SSO

We are trying to implement an IDP iniated SSO process. We have a java app that authenticates the user and build a saml response. Our plan is to forward the saml response to WSO2 identity server and let WSO2 decide to which service provider it should forward the response.
I had configured an identity provider and a service provider in WSO2, and I am posting the saml response to https://wso2:9443/commonauth. When I post the saml response I get the following error in WSO2 logs
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Session data key is null in the request
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
Can someone please explain how to perform external IDP initiated SSO using WSO2.
For IDP initiated SSO, you should send the SAML response to https://wso2:9443/samlsso?spEntityID=[SPEntityID_value] (not https://wso2:9443/commonauth )
SPEntityID_value is the issuer value of your Service Provider. If you need to decide Service Provider dynamically from WSO2 side, you might have to do some customization in WSO2 SAML SSO inbound flow.

SAML2 usage with axis2 web service

Is there any way that i can use SAML to authenticate(SSO) to an Idp using an axis2 web service?
SAML WebBrowser SSO Profile is used to convey an authentication assertion FROM an IdP (identity provider) TO a SP (service provider), which may result in authentication occurring at the SP. SAML SSO isn't used to perform authentication to an IdP. An SP can send an authentication request (AuthnRequest) to an IdP, but that's simply a request, not the authentication itself. The SAML SSO profile allows for AuthnRequest over HTTP (Redirect/POST/Artifact) and Response (the authentication assertion from the IdP) over HTTP (POST/Artifact). If IdP supports/uses HTTP Artifact, then the authentication assertions would be obtained by calling a web service at the IdP, rather than being conveyed directly in the response XML.
Perhaps you should look at the Enhanced Client or Proxy (ECP) profile, which uses Reverse SOAP (PAOS). This certainly would be possible with Axis2, although to be clear, the web service itself would live at the IdP.
Which end are you implementing, IdP or SP?
You could try using the saml library opensaml http://www.opensaml.org/ to generate your authnRequest and process the response sent by the idp.