SAML: Secure and Simplified Authentication for Today's Connected World

Om Balakumar
Jul 7, 2023
10
mins read

As we were experiencing multi-tenant applications with single sign-on requirements, we came across SAML. We found it very secure and reliable. But many options were explored to get the right approach. Hence we thought sharing the details as a blog would be appropriate, for easy access to the SAML process.

SAML Authentication Process:

SAML authentication process

SAML authentication process

When an unauthenticated user attempts to access a protected resource, they are redirected to the SAML Identity Provider (IdP) with a SAML request. The IdP then authenticates the user and generates a SAML response containing information about the user's identity and permissions. This allows for seamless single sign-on (SSO) across multiple applications and systems that support SAML. With SAML, organizations can ensure secure access to their resources while simplifying the authentication process for users.

The identity provider typically displays a login page where users can enter their credentials. Once users have successfully authenticated with the identity provider, they are redirected back to the service provider along with a SAML assertion that contains information about their identity and any relevant authorization data.

The IdP then sends assertions to the user, which are sent back to the IdP for verification against their database. Once verified, the IdP sends an assertion back to the SP indicating that authentication was successful.

The SAML response is digitally signed by the IdP to ensure its authenticity and integrity. This mechanism enables secure single sign-on (SSO) across different applications and domains, without requiring users to remember multiple sets of credentials.

How to implement SAML on the Service Provider (SP) side?

Obtain the SAML metadata from the Identity Provider (IdP). This metadata contains important information such as the issuer URL, certificate, Single Sign-On (SSO) URL and logout URL. Configure the application or service to act as an SP and provide metadata that describes the available endpoints for SAML.

Parse and validate SAML assertions that are received from the IdP during the authentication process. Depending on the SAML profile being used, there are different ways to do this. For example, we might use the HTTP-Redirect binding to send SAML messages back and forth between the SP and the IdP.

Redirect the user to the IdP's SSO URL to start the SSO process. We will typically include a SAML request in the URL that is sent to the IdP. Receive and process SAML responses from the IdP. This includes checking the signature of the SAML assertion to ensure it was signed with the IdPs private key.

SAML Request

<?xml version="1.0" encoding="UTF-8"2>

<samlp:AuthnRequest xmIns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="620c9d9df97f627afe9dcc24" Issuelnstant="2022-11-18T23:52:45Z" Version="2.0">

<saml:Issuer xmins:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.example.com/</saml:lssuer>

</samlp:AuthnRequest>

Encoded SAML Request

{

"data" {

"initiate": {

"redirect" true,

"samlURL": "http://www.samlUrl.com/saml"

"samlRequest":

"fdBLS8NAEMDxe6HfIcw9r7WvDNmUgggBvWjrwduy2bSBfcSdjcnHNwZ7EjwP858fUx4no6Mv5alzlkOeZBApK13T2SuHy/kpPgCr1quShNE9noZws6/qc1AUosnUlnAZcBi8RSeoI7TCKMIg8e308owsybD3LjjpNKxX9SOHHctk0RRNW+zbHduLVhWNlGwDUU00KG0pCBs4sIyxOM/j/HBmD7hluNl+QPR+t85luMtw2fQzqfsl/S8SRMqHOQPVLYQe03Qcx0RNwvRaJdKZtEyXrl66P2fSvx+ovgE=",

"samlCookie":

"eyJyZXF1ZXNOVVJJjoiliwic2FtbEF2c2VydGIvbkIkljoiXzFiZiZmNjViNmVmMDEXMTk2MTc4N2U1N2Q3NjJj¥ig2ino=",

"error": null

}

}

}

Create and store a user session in the application based on the attributes that are contained in the SAML assertion. These attributes can include user ID, name, email address, and group membership.

Support SAML single logout (SLO) to allow users to sign out of all applications and services simultaneously. When initiated from the IdP, the Service Provider should invalidate the user's session and redirect them to a logout page.

Client Consume Request with SAML Response

{

"assertionId":"",

"redirectURI":"",

"adfsIdentifier":"",

"SAMLResponse":"PHNbWswOLIC3BVbINIIEIEPSJZDUSMDATNDCHYmMZOC000TVhLWJmOTMODFKMmUZMDU3YmEWIIBWZX.12aWOUPSIYLIAIEIZC3VISWSZGFUdDOIMIAYMIOWNIOyOFQuwhz010ToXNC400DZaIIBEZXNOaWSaGIVbj0iaHROCHMBLYSXYWN1C3RVDWISZTEXLWNVDNNVDGUUCWEUDHJULMNYDSINCGKVC2FtDHNZbY9jb252aW1IIBDD252ZWS0PS1cm4602F22XMBbmFZXM6IGMBUOFNTDOYLIABY20uc2VudDpNNWZWNDZmIIZCIgSW5SZXNwb252ZVRVPSJZic3MzcxODgANGQANZY4YWYWOTRIMmQ3OTg4YTRIODMilkhtbG5zOnNNbWxwP1JIZ}48LOF1dGhUQ29UAGYdDASLOF1dGhuU3RNAGVIZWSOPVOXNZZXJ0aWIUPIVC2FtOHABUMVZcGOuC2U+"

}

Response with credentials and SLO URL

{

"userld" : 12345678,

"username": "",

"error":"",

"slourl" : "/logoutUrl/"

}

Lessons learned

Used initiate and consume methods which are  the standardized solution for authentication security in SP Initiated SAML. 

Integrated encoded private or public key to create encrypted SAML Request for each tenant.

To Summarize

SAML used to implement the security framework away from platform architectures, making security more independent of application logic. With SAML, Third Party users can access multiple web applications using single sign on.

For further details, please refer to the link below.

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.htmlA

Share :

Join the conversation

Other blogs

Unlocking the Power of Azure App Service: A Comprehensive Guide for Developers

Azure App service is a fully managed Platform-as-a-service (PaaS) provided by Microsoft Azure. It allows Developers to easily build and deploy Web and API applications without worrying about the underlying infrastructure. It supports multiple programming languages and frameworks. It includes .NET, Java, Node.js, Python, and PHP.

Cybersecurity: The Modern-Day Reality

Today's world is an e-generation where everything-from banking to shopping-is done online. Very little exists in our life without tech, and with this trend of humans relying on the net, the cyber threat is a high chance. This blog will learn what cybersecurity is, what various threats exist today, and how we can protect ourselves in the modern world.

Unlock Your Productivity Potential with DevExpress: The Unparalleled Developer Tool

DevExpress is a suite of fully integrated and feature-rich developer tools designed to make sure your desktop, web, and mobile applications have the best user experience and deliver outstanding solutions in the shortest possible time.

July 7, 2023
|
10
mins

SAML: Secure and Simplified Authentication for Today's Connected World

Om Balakumar

As we were experiencing multi-tenant applications with single sign-on requirements, we came across SAML. We found it very secure and reliable. But many options were explored to get the right approach. Hence we thought sharing the details as a blog would be appropriate, for easy access to the SAML process.

SAML Authentication Process:

SAML authentication process

SAML authentication process

When an unauthenticated user attempts to access a protected resource, they are redirected to the SAML Identity Provider (IdP) with a SAML request. The IdP then authenticates the user and generates a SAML response containing information about the user's identity and permissions. This allows for seamless single sign-on (SSO) across multiple applications and systems that support SAML. With SAML, organizations can ensure secure access to their resources while simplifying the authentication process for users.

The identity provider typically displays a login page where users can enter their credentials. Once users have successfully authenticated with the identity provider, they are redirected back to the service provider along with a SAML assertion that contains information about their identity and any relevant authorization data.

The IdP then sends assertions to the user, which are sent back to the IdP for verification against their database. Once verified, the IdP sends an assertion back to the SP indicating that authentication was successful.

The SAML response is digitally signed by the IdP to ensure its authenticity and integrity. This mechanism enables secure single sign-on (SSO) across different applications and domains, without requiring users to remember multiple sets of credentials.

How to implement SAML on the Service Provider (SP) side?

Obtain the SAML metadata from the Identity Provider (IdP). This metadata contains important information such as the issuer URL, certificate, Single Sign-On (SSO) URL and logout URL. Configure the application or service to act as an SP and provide metadata that describes the available endpoints for SAML.

Parse and validate SAML assertions that are received from the IdP during the authentication process. Depending on the SAML profile being used, there are different ways to do this. For example, we might use the HTTP-Redirect binding to send SAML messages back and forth between the SP and the IdP.

Redirect the user to the IdP's SSO URL to start the SSO process. We will typically include a SAML request in the URL that is sent to the IdP. Receive and process SAML responses from the IdP. This includes checking the signature of the SAML assertion to ensure it was signed with the IdPs private key.

SAML Request

<?xml version="1.0" encoding="UTF-8"2>

<samlp:AuthnRequest xmIns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="620c9d9df97f627afe9dcc24" Issuelnstant="2022-11-18T23:52:45Z" Version="2.0">

<saml:Issuer xmins:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.example.com/</saml:lssuer>

</samlp:AuthnRequest>

Encoded SAML Request

{

"data" {

"initiate": {

"redirect" true,

"samlURL": "http://www.samlUrl.com/saml"

"samlRequest":

"fdBLS8NAEMDxe6HfIcw9r7WvDNmUgggBvWjrwduy2bSBfcSdjcnHNwZ7EjwP858fUx4no6Mv5alzlkOeZBApK13T2SuHy/kpPgCr1quShNE9noZws6/qc1AUosnUlnAZcBi8RSeoI7TCKMIg8e308owsybD3LjjpNKxX9SOHHctk0RRNW+zbHduLVhWNlGwDUU00KG0pCBs4sIyxOM/j/HBmD7hluNl+QPR+t85luMtw2fQzqfsl/S8SRMqHOQPVLYQe03Qcx0RNwvRaJdKZtEyXrl66P2fSvx+ovgE=",

"samlCookie":

"eyJyZXF1ZXNOVVJJjoiliwic2FtbEF2c2VydGIvbkIkljoiXzFiZiZmNjViNmVmMDEXMTk2MTc4N2U1N2Q3NjJj¥ig2ino=",

"error": null

}

}

}

Create and store a user session in the application based on the attributes that are contained in the SAML assertion. These attributes can include user ID, name, email address, and group membership.

Support SAML single logout (SLO) to allow users to sign out of all applications and services simultaneously. When initiated from the IdP, the Service Provider should invalidate the user's session and redirect them to a logout page.

Client Consume Request with SAML Response

{

"assertionId":"",

"redirectURI":"",

"adfsIdentifier":"",

"SAMLResponse":"PHNbWswOLIC3BVbINIIEIEPSJZDUSMDATNDCHYmMZOC000TVhLWJmOTMODFKMmUZMDU3YmEWIIBWZX.12aWOUPSIYLIAIEIZC3VISWSZGFUdDOIMIAYMIOWNIOyOFQuwhz010ToXNC400DZaIIBEZXNOaWSaGIVbj0iaHROCHMBLYSXYWN1C3RVDWISZTEXLWNVDNNVDGUUCWEUDHJULMNYDSINCGKVC2FtDHNZbY9jb252aW1IIBDD252ZWS0PS1cm4602F22XMBbmFZXM6IGMBUOFNTDOYLIABY20uc2VudDpNNWZWNDZmIIZCIgSW5SZXNwb252ZVRVPSJZic3MzcxODgANGQANZY4YWYWOTRIMmQ3OTg4YTRIODMilkhtbG5zOnNNbWxwP1JIZ}48LOF1dGhUQ29UAGYdDASLOF1dGhuU3RNAGVIZWSOPVOXNZZXJ0aWIUPIVC2FtOHABUMVZcGOuC2U+"

}

Response with credentials and SLO URL

{

"userld" : 12345678,

"username": "",

"error":"",

"slourl" : "/logoutUrl/"

}

Lessons learned

Used initiate and consume methods which are  the standardized solution for authentication security in SP Initiated SAML. 

Integrated encoded private or public key to create encrypted SAML Request for each tenant.

To Summarize

SAML used to implement the security framework away from platform architectures, making security more independent of application logic. With SAML, Third Party users can access multiple web applications using single sign on.

For further details, please refer to the link below.

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.htmlA

Other BLOGS