Qu'est ce que SAML (Security Assertion Markup Language) ?

[christianfelicite]

425

426

467

[christianfelicite]

https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

1. Request the target resource at the SP (#422) (SAML 2.0 only)

The principal (via an HTTP user agent) requests a target resource at the service provider: https://sp.example.com/myresource The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2–7.

2. Redirect to the SSO Service at the IdP #421 (SAML 2.0 only)

The service provider determines the user's preferred identity provider (by unspecified means) and redirects the user agent to the SSO Service at the identity provider: https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request The value of the SAMLRequest parameter (denoted by the placeholder request above) is the Base64 encoding of a deflated element.

3. Request the SSO Service at the IdP (SAML 2.0 only)

The user agent issues a GET request to the SSO service at the URL from step 2. The SSO service processes the AuthnRequest (sent via the SAMLRequest URL query parameter) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted).

4. Respond with an XHTML form

The SSO service validates the request and responds with a document containing an XHTML form:

  <form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLResponse" value="response" />
    ...
    <input type="submit" value="Submit" />
  </form>

The value of the SAMLResponse element (denoted by the placeholder response above) is the base64 encoding of a element.

5. Request the Assertion Consumer Service at the SP

The user agent issues a POST request to the assertion (#425) consumer service at the service provider. The value of the SAMLResponse parameter is taken from the XHTML form at step 4.

6. Redirect to the target resource

The assertion consumer service processes the response, creates a security context at the service provider and redirects the user agent to the target resource.

7. Request the target resource at the SP again

The user agent requests the target resource at the service provider (again): https://sp.example.com/myresource

8. Respond with requested resource

Since a security context exists, the service provider returns the resource to the user agent.

https://en.wikipedia.org/wiki/SAML_2.0

[christianfelicite]

https://auth0.com/blog/how-saml-authentication-works/

Workflow très détaillé !!

Now, a user is trying to gain access to Zagadat using SAML authentication.

This is the process flow:

1. The user tries to log in to Zagadat from a browser.
2. Zagadat responds by generating a SAML request.
3. The browser redirects the user to an SSO URL, Auth0
4. Auth0 parses the SAML request and authenticates the user. This could be with username and password or even social login. If the user is already authenticated on Auth0, this step will be skipped. Once the user is authenticated, Auth0 generates a SAML response.
5. Auth0 returns the encoded SAML response to the browser.
6. The browser sends the SAML response to Zagadat for verification.
7. If the verification is successful, the user will be logged in to Zagadat and granted access to the resources that they are authorized to view/modify.

[christianfelicite]

https://www.zoho.com/developer/help/extensions/saml.html

SAML Terminologies and Workflow Security Assertion Markup Language (SAML) is an XML-based standard that allows you to exchange authentication data between one service and another. Zoho provides single sign-on for connected apps using SAML. Here, Zoho acts as the identity provider (IdP) and the application is the service provider (SP).

The developer must be familiar with the following terms before building an SAML-enabled connected app.

1. Service Provider(SP) #422 - The system that provides the service to the user. In this case, the web application the user wants to connect Zoho CRM with acts as the SP.

2. Identity Provider(IdP) #421 - The system that manages the identity information of the users, including user name, password and other crucial data. In this case, Zoho acts as the IdP

3. Entity ID - A unique ID that allows the SP and IdP can identify each other. The Entity ID for Zoho CRM will be generated once you create the connected app. Provide this ID to the application you want to connect with Zoho CRM. The Entity ID for the web app will be provided in the SAML documentation for that application.

4. ACS URL (Assertion Consumer Service URL) - The Identity Provider will send the SAML response to this URL. This URL will be provided by the service provider.

5. Single Sign-on (SSO)- A session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple application.

6. Subject Type - Subject type indicates the value that the Service provider expects. E.g., user name, user ID, etc.

7. Name ID Format - The format in which the name ID must be specified. The name ID format you specify must be the same in both the IdP and SP.

1. The user requests access to the service by selecting the Single Sign-on option.
2. The Service Provider sends a SAML request to the Identity provider, using the Entity ID of the IdP. The SAML request is embedded in the HTTP code that redirects the user to the IdP.
3. The IdP login screen appears and the user provides their login credentials for verification.
4. Once the user is authenticated, the IdP sends SAML assertion using the ACS URL to the SP along with the details mentioned in the Subject type requested by the SP.
5. After receiving these details, the SP provides access to the user.
6. The user can now start accessing the resources.

[christianfelicite]

https://www.gluu.org/resources/documents/articles/how-does-saml-work-idps-sps/

5 benefits of using SAML:

There are many reasons to use a SAML IDP like the Gluu Server, including:

1. User passwords never cross the firewall, since user authentication occurs inside of the firewall and multiple Web application passwords are no longer required.
2. Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class IdM first, which can include strong authentication mechanisms.
3. “SP-initiated” SAML SSO provides access to Web apps for users outside of the firewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the firewall.
4. Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance benefits.
5. A properly executed identity federation layer that satisfies all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution.

[christianfelicite]

https://www.acipia.fr/infrastructure/securite/saml-sso-authentification-deleguee/

La solution SAML

Grâce à SAML la DSI peut implémenter son propre portail d’identification (IdP). Celui-ci assurera en toute autonomie l’authentification des utilisateurs. Cette identité sera transmise aux fournisseurs de service habilités au travers d’un échange SAML. Dans cette transmission le fournisseur (SP) n’aura accès qu’aux seules informations strictement nécessaires.

Authentification

Lors de la connexion à l’application externe, celle-ci renvoie l’utilisateur inconnu vers l’IdP de l’entreprise. Cet IdP est un service web accessible en HTTPS. Il peut être hébergé en interne ou en externe.

Authentification interne

L’utilisateur prouve ensuite son identité à l’IdP. Cette phase peut se faire par une authentification explicite (login / mot de passe) ou par la propagation d’un jeton préexistant. C’est notamment possible dans le cas d’une authentification Kerberos sur un domaine Active Directory. Dans ce dernier cas la phase d’authentification est transparente pour l’utilisateur.

Génération de l’assertion

L’IdP va alors générer un « jeton », sorte de carte d’identité de l’utilisateur, valable uniquement pour le service sollicité et pour un temps donné. Dans ce jeton on trouvera notamment :

• L’identité de l’utilisateur : login, email ou autre champs
• Des attributs supplémentaires facultatifs : nom, prénom, langue etc.
• Une période de validité du jeton
• Une signature du jeton par l’IdP

Transmission de l’IdP vers le SP

Dans le mode le plus pratique, l’assertion n’est pas transmise directement de l’IdP vers le SP, mais par l’intermédiaire de l’utilisateur lui-même. Par un mécanisme de rebond HTTP, l’IdP va fournir au navigateur client le jeton à transmettre au fournisseur de service. On peut comparer à la carte d’identité fournie par la préfecture pour être présentée à toute autorité.

Consommation du jeton par le SP

Le fournisseur de service reçoit le jeton de la part de l’utilisateur. Le SP a choisi de faire confiance à cet IdP. Aussi valide-t-il la signature et l’intégrité du jeton, ainsi que la période de validité. Si les tests sont concluants le SP ouvre une session à l’utilisateur. Modalités pratiques

La mise en place d’un IdP interne à l’entreprise n’est pas très complexe. Il s’agit principalement d’un serveur Web embarquant un composant capable de générer des jetons SAML ou OpenID. Le composant libre simpleSAMLphp est particulièrement polyvalent et souple.

Du côté des fournisseurs de service il faut valider que ceux-ci acceptent un mode d’authentification implémenté par l’IdP. On choisira en général SAML 2.0, OpenID ou Shiboleth.

[christianfelicite]

https://auth0.com/docs/protocols/saml-configuration-options/configure-saml-identity-provider-initiated-single-sign-on

[christianfelicite]

https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso

[christianfelicite]

https://blog.joshsoftware.com/2020/04/22/single-sign-on-with-saml-and-spring-boot/

[christianfelicite]

https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/configuration-sso.html