SAML2 usage with axis2 web service - axis2

Is there any way that i can use SAML to authenticate(SSO) to an Idp using an axis2 web service?

SAML WebBrowser SSO Profile is used to convey an authentication assertion FROM an IdP (identity provider) TO a SP (service provider), which may result in authentication occurring at the SP. SAML SSO isn't used to perform authentication to an IdP. An SP can send an authentication request (AuthnRequest) to an IdP, but that's simply a request, not the authentication itself. The SAML SSO profile allows for AuthnRequest over HTTP (Redirect/POST/Artifact) and Response (the authentication assertion from the IdP) over HTTP (POST/Artifact). If IdP supports/uses HTTP Artifact, then the authentication assertions would be obtained by calling a web service at the IdP, rather than being conveyed directly in the response XML.
Perhaps you should look at the Enhanced Client or Proxy (ECP) profile, which uses Reverse SOAP (PAOS). This certainly would be possible with Axis2, although to be clear, the web service itself would live at the IdP.
Which end are you implementing, IdP or SP?

You could try using the saml library opensaml http://www.opensaml.org/ to generate your authnRequest and process the response sent by the idp.

Related

Securing an API with SAML SSO / OAuth2.0

Alright, so I'm having a hard time understanding a proper flow here for my setup.
Goal
I want to have a proper SSO flow for my SPA app that can authenticate users into an API.
Context
I have a React application that is intended to use an Okta porta that offers both SAML (preferred) and OIDC for SSO flows. I've wrapped my static sources in a web server that serves them, and that server has a middleware that checks for cookies, and if one doesn't exist, I redirect to the IDP (Okta) for login. This all works fine for now.
Currently, my API sits on that same server, which I intend on moving to a separate server to scale independently of the website. My API must also allow other machine clients (services) to call into it, so I implemented a service account flow that uses client ID and secret as the authentication measure.
In general, my intended flow looks like this:
User navigates to my website (unauthorized) -> Web Server -> Redirect to IDP -> Assertion Callback flow -> Generate JWT session cookie -> Web Application makes API call -> API Server auth middleware validates cookie / bearer token.
The problem.
The details of how the JWT access token is generated is where I'm stuck. Currently, my webserver receives the SAML assertion and generates a JWT, which is not the same JWT claims logic as the service accounts (bleh). I'm thinking of implementing an Auth service instead to centralize the token generation flows.
For the Auth Service, I've looked into OAuth2.0 and it seems like just the right approach for what I need. With that said, I can't find much information on patterns to follow for SAML assertion -> OAuth2.0. I saw an IETF draft for saml2-bearer grant-type, but it seems dead in the water. I'm also unsure about the general consensus on custom implemented OAuth2.0 grant types.
What does a proper flow look like? I have a couple of scenarios in mind:
SAML Service Provider within the same service as the Auth
Service. On lack of SSO session, my application redirects to my Auth service, which then redirects to my IDP. The IDP calls my SP (the auth server) with the assertion, the auth service generates a token, then my auth service redirects back to the webserver with a cookie placed in the response headers.
SAML SP as the webserver Since the webserver is the only system that needs to use the SSO, I could just keep the SAML flow within that process. Once my webserver receives the SAML assertion callback, my server makes a call to an endpoint service with the assertion claims, and then my auth service returns the access token in a JSON response.
Something else, like OAuth2.0 authorization code flow with PKCE for the web application. Or OIDC instead of SAML for SSO.
OIDC sounds like the right choice for you as APIs are involved. OAuth is designed to secure APIs' compared to SAML which is built for enterprise SSO.
You can integrate your SPA with Okta using OIDC. Okta provides SDK's for varies platforms to make it easier for you to do so. You can find SDKs' here:
https://developer.okta.com/code/angular/okta_angular_auth_js/
Once you get an ID token and Access token from Okta after OIDC flow, you can use the access token to access external API's. Your API resource server or the API gateway can validate the access token. Again Okta provides SDK's to verify access tokens: https://developer.okta.com/code/dotnet/jwt-validation/

Is SAML an Authentication mechansim?

Is SAML an authentication mechansim. ? I have seen this being written in many places.
As per my understanding SAML is not an authentication mechanism but a way to exchange authentication and authorization data between a service provider and an identity provider. ?
Both Service provider and identity provider have to be SAML compliant or basically understand SAML to take part.
Authentication can be done by any means like oAuth, Form etc. and then SAML exchange happens.
Best Regards,
Saurav
Actually SAML is a internet standards based technology to achieve web-based single on.
The actual authentication, which happens at the SAML IdP is out of scope of the specification.
However sometimes implementors do no accurately distinguish between SSO and authentication.
Chapter 1 from SAML Technical Overview, a document published in 2008 and still a good read:
The Security Assertion Markup Language (SAML) standard defines a
framework for exchanging security information between online business
partners.
...and then Chapter 4 in the same doc
SAML consists of building-block components that, when put together,
allow a number of use cases to be supported. The components
primarily permit transfer of identity, authentication, attribute, and
authorization information between autonomous organizations that have
an established trust relationship
SAML (Security Assertion Markup Language) is an identity federation protocol.
(1) Traditionally a web application utilizes a local data storage (such as MySQL which is used to store username/password credentials) to accomplish the login authentication.
On the other hand, a web application can leverage a third-party SAML Identity Provider (IdP) to accomplish the login authentication if the web application has been integrated with a SAML Service Provider (SP).
(2) Usually a SAML IdP utilizes identity repository (such as OpenLDAP) to provide identity authentication for a SAML SP-enabled web application.
(3) A web application, which has been integrated with a SAML SP, outsources login authentication to a SAML IdP.
Without loss of generality, we assume that the SAML IdP has been configured with OpenLDAP.
A typical SAMP SP-intitiated authentication procedure can be described below.
(I) A user launches a web browser to access a SAML SP-enabled web application.
(II) The user is redirected to a SAML IdP which will prompt username/password login screen.
SAML SP sends a SAML request to SAML IdP.
(III) The user submits the username/password credential.
(IV) The SAML IdP leverages OpenLDAP to validate the username/password credential.
(V) The user is redirected back and logged in to the web application if the user has been authenticated by OpenLDAP successfully.
SAML IdP sends a SAML response token to federate the user identity (such as username) to SAML SP-enabled web application.
(4) How to build and run Shibboleth SAML IdP and SP using Docker container demonstrates how a SAML IdP utilizes OpenLDAP to provide identity authentication and then federates the user identity (such as username) to a SAML SP-enabled web application, thus accomplishing the login authentication for the web application.

How do I implement SAML for my Spring Boot application?

I have an internal application hosted on AWS with https. I need help understanding how to implement SAML authentication to my web application. I am using Spring Boot for my backend and AngularJS for my front end. I am using ADFS as my IP. From what I gather, the following are the steps.
Get a https URL for your application
Create a basic ADFS trust.
Add the roles on ADFS
Get a metadata URL and enter it in your application.properties.
I am trying to implement SAML for the first time and have confused myself completely. Any thoughts shared would be greatly appreciated.
Your Spring Boot application needs to be a Service Provider (SP) that trusts your ADFS Identity Provider (IdP) and you ADFS IdP needs to trust your SP. This trust is usually done using the SAML2 metadata profile, i.e. the SP and IdP SAML2 metadata files.
You can either design your application as a 'standalone', i.e. no SAML ability and put something in front of it that understand SAML and blocks all requests until the IdP sends attributes. This is how the standard Shibboleth SP works but it needs Apache. The other option is to use the framework to plumb in the SAML capability such as Spring Security SAML

WSO2 Idp initiated SSO

We are trying to implement an IDP iniated SSO process. We have a java app that authenticates the user and build a saml response. Our plan is to forward the saml response to WSO2 identity server and let WSO2 decide to which service provider it should forward the response.
I had configured an identity provider and a service provider in WSO2, and I am posting the saml response to https://wso2:9443/commonauth. When I post the saml response I get the following error in WSO2 logs
DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Session data key is null in the request
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
Can someone please explain how to perform external IDP initiated SSO using WSO2.
For IDP initiated SSO, you should send the SAML response to https://wso2:9443/samlsso?spEntityID=[SPEntityID_value] (not https://wso2:9443/commonauth )
SPEntityID_value is the issuer value of your Service Provider. If you need to decide Service Provider dynamically from WSO2 side, you might have to do some customization in WSO2 SAML SSO inbound flow.

SAML 2.0 security token

I have a web application which uses an identity provider for authentication in accordance with SAML 2.0 protocol.
Does this web application (service provider) have to validate a security token (provided by IdP when an user log in the web application) for each web server request.
In my opinion, there is no need to validate security token for each server request. The SAML protocol requires token validation only in necessary cases (authentication, authorization).
Am I right or od I have to implement token validation for each web server request?
No, the service provider does not need to validate the SAML assertion for every request.
SAML assertion contains information about the user, such as who the username is, how the user is authenticated by identity provider, and so on. Once the service provider obtains this SAML assertion from identity provider, it verifies the SAML assertion, and log-ins the user to the service provider. Once the user is logged-in, the user only needs to use the same authenticated session to access protected resource at the service provider. The user does not have to send SAML assertion.