Demystifying Federated IAM SSO with SAML: It doesn't have to be a nightmare [P1]

Web development Nov 06, 2020

You work at a B2B company or an independent person/startup with a business idea to provide services/sell a product to a large company. Your product needs to used by that company's employees. You have a problem. You need to strip your authentication from your product, and integrate a federated sso that is used by that company. You begin to sweat. profusely.

A lot of terms will be thrown at you randomly such as Encryption, Decryption, PKI, Federation, IAM, SP, IDP, SP-Init IDP, IDP-Init SP, Certificate, handshake and milkshake (i made that one up)

Authentication and Authorization is a known problem. Nothing new, nothing fancy. In the end, you may get a pat on the back, some kudos if it goes without bugs, you should really give yourself a thumbs up. With that being said, please read on.

What is SSO

SSO, short for Single Sign On is a mechanism for authenticating a person to a service via a trusted third party. One example could be Sign in via Google/Facebook/Github etc.

SSO is used for authentication via a trusted third party.

You trust Facebook to perform an identification of the user, and facebook provides you some data about the user that has requested a sign in. You do not need to have a authentication mechanism in place, which is a good thing, you can't build one better than facebook. You bet facebook can accurately identify a user, even when he/she doesn't want to be identified.

Different mechanisms for SSO

SSO Primarily happens over two mechanisms, OAuth2 or SAML. OAuth2 is actually a great standard, and not at all that different except it uses JSON as the Data Interchange Format. In this article, we're going to discuss SAML, and it's nightmarish use case: Fededrated SSO.

What is IAM

IAM Stands for Identity and Access Management. You can request a user's phone number, and she might not choose not to share the same with you. And due to that, you might disable her OTP based password recovery. That is a very simple scenario.

On a broader scope, Identity Management refers to the practice of establishing identity only. Like, this is tim and some additional information associated with him. On the other hand, access Management is basically, tim with this information has access to this part of the office.

IAM then would say, this is tim, with this information and please let him enter because IAM said so.

What is Federated SSO

A Federated SSO is when a SSO Service chooses to do some gatekeeping. Where a SSO is used across different systems, sometimes across companies as well. And the SSO selectively lets some user in or doesn't let them in.

In most enterprise use cases, a federated SSO basically means an SSO with IAM functionality built into it. The business can federate and identify using the same service across departments, services and even organizations sometimes.

Providers of Federated SSO

Below are some well known federated SSO providers, if you are integrating one and your one is not in this list, please go kill yourself, come back and read. Because help is pretty rare for even these well known ones, god forbid you don't end up integrating some unknown service.

  1. ADFS
  2. PingFederate
  3. OneLogin
  4. Okta

What the heck is SAML

SAML, short for Security Assertion Markup Language is a protocol of choice among many well known Federated SSO providers. OAuth2 is mostly used by non-federated providers such as Github/Stackexchange/Facebook/Google etc.

That was a mouthful, what the heck is that again?

A Signed and optionally encrypted XML document.

How does it look?

Pretty ugly, like all of XML, to be honest. But if you're curious, here's a sample SAML assertion taken from SAMLTool by Onelogin.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
    <saml:Subject>
      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
We are getting ahead of ourselves. Let's take a step back and get an overview of SAML

SAML: The Standard Parties

In SAML, there can be two types of entities, and an assertion is basically a bipartisan agreement between an application and a federation.

  1. Service Provider or SP: The party that provides a service
  2. Identity Provider or IdP: The party that provides Identity and Access Management

Sohan Basak

Hi, I am Sohan. A software engineer by profession, I am really passionate about algorithms, AI/ML, Maths and Physics. Play the guitar as a hobby, the maths behind music is fascinating.