As we were experiencing multi-tenant applications with single sign-on requirements, we came across SAML. We found it very secure and reliable. But many options were explored to get the right approach. Hence we thought sharing the details as a blog would be appropriate, for easy access to the SAML process.

‍

SAML Authentication Process:

‍

SAML authentication process

‍

When an unauthenticated user attempts to access a protected resource, they are redirected to the SAML Identity Provider (IdP) with a SAML request. The IdP then authenticates the user and generates a SAML response containing information about the user's identity and permissions. This allows for seamless single sign-on (SSO) across multiple applications and systems that support SAML. With SAML, organizations can ensure secure access to their resources while simplifying the authentication process for users.

‍

The identity provider typically displays a login page where users can enter their credentials. Once users have successfully authenticated with the identity provider, they are redirected back to the service provider along with a SAML assertion that contains information about their identity and any relevant authorization data.

‍

The IdP then sends assertions to the user, which are sent back to the IdP for verification against their database. Once verified, the IdP sends an assertion back to the SP indicating that authentication was successful.

‍

The SAML response is digitally signed by the IdP to ensure its authenticity and integrity. This mechanism enables secure single sign-on (SSO) across different applications and domains, without requiring users to remember multiple sets of credentials.

‍

How to implement SAML on the Service Provider (SP) side?

‍

Obtain the SAML metadata from the Identity Provider (IdP). This metadata contains important information such as the issuer URL, certificate, Single Sign-On (SSO) URL and logout URL. Configure the application or service to act as an SP and provide metadata that describes the available endpoints for SAML.

‍

Parse and validate SAML assertions that are received from the IdP during the authentication process. Depending on the SAML profile being used, there are different ways to do this. For example, we might use the HTTP-Redirect binding to send SAML messages back and forth between the SP and the IdP.

‍

Redirect the user to the IdP's SSO URL to start the SSO process. We will typically include a SAML request in the URL that is sent to the IdP. Receive and process SAML responses from the IdP. This includes checking the signature of the SAML assertion to ensure it was signed with the IdPs private key.

‍

SAML Request

‍

<?xml version="1.0" encoding="UTF-8"2>

<samlp:AuthnRequest xmIns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="620c9d9df97f627afe9dcc24" Issuelnstant="2022-11-18T23:52:45Z" Version="2.0">

<saml:Issuer xmins:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.example.com/</saml:lssuer>

</samlp:AuthnRequest>

‍

‍

Encoded SAML Request

‍

{

"data" {

"initiate": {

"redirect" true,

"samlURL": "http://www.samlUrl.com/saml"

"samlRequest":

"fdBLS8NAEMDxe6HfIcw9r7WvDNmUgggBvWjrwduy2bSBfcSdjcnHNwZ7EjwP858fUx4no6Mv5alzlkOeZBApK13T2SuHy/kpPgCr1quShNE9noZws6/qc1AUosnUlnAZcBi8RSeoI7TCKMIg8e308owsybD3LjjpNKxX9SOHHctk0RRNW+zbHduLVhWNlGwDUU00KG0pCBs4sIyxOM/j/HBmD7hluNl+QPR+t85luMtw2fQzqfsl/S8SRMqHOQPVLYQe03Qcx0RNwvRaJdKZtEyXrl66P2fSvx+ovgE=",

"samlCookie":

"eyJyZXF1ZXNOVVJJjoiliwic2FtbEF2c2VydGIvbkIkljoiXzFiZiZmNjViNmVmMDEXMTk2MTc4N2U1N2Q3NjJj¥ig2ino=",

"error": null

}

}

}

‍

Create and store a user session in the application based on the attributes that are contained in the SAML assertion. These attributes can include user ID, name, email address, and group membership.

‍

Support SAML single logout (SLO) to allow users to sign out of all applications and services simultaneously. When initiated from the IdP, the Service Provider should invalidate the user's session and redirect them to a logout page.

‍

Client Consume Request with SAML Response

‍

{

"assertionId":"",

"redirectURI":"",

"adfsIdentifier":"",

"SAMLResponse":"PHNbWswOLIC3BVbINIIEIEPSJZDUSMDATNDCHYmMZOC000TVhLWJmOTMODFKMmUZMDU3YmEWIIBWZX.12aWOUPSIYLIAIEIZC3VISWSZGFUdDOIMIAYMIOWNIOyOFQuwhz010ToXNC400DZaIIBEZXNOaWSaGIVbj0iaHROCHMBLYSXYWN1C3RVDWISZTEXLWNVDNNVDGUUCWEUDHJULMNYDSINCGKVC2FtDHNZbY9jb252aW1IIBDD252ZWS0PS1cm4602F22XMBbmFZXM6IGMBUOFNTDOYLIABY20uc2VudDpNNWZWNDZmIIZCIgSW5SZXNwb252ZVRVPSJZic3MzcxODgANGQANZY4YWYWOTRIMmQ3OTg4YTRIODMilkhtbG5zOnNNbWxwP1JIZ}48LOF1dGhUQ29UAGYdDASLOF1dGhuU3RNAGVIZWSOPVOXNZZXJ0aWIUPIVC2FtOHABUMVZcGOuC2U+"

}

‍

Response with credentials and SLO URL

‍

{

"userld" : 12345678,

"username": "",

"error":"",

"slourl" : "/logoutUrl/"

}

‍

Lessons learned

‍

Used initiate and consume methods which are  the standardized solution for authentication security in SP Initiated SAML. 

‍

Integrated encoded private or public key to create encrypted SAML Request for each tenant.

‍

To Summarize

‍

SAML used to implement the security framework away from platform architectures, making security more independent of application logic. With SAML, Third Party users can access multiple web applications using single sign on.

‍

For further details, please refer to the link below.

‍http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.htmlA