Skip to main content

Understanding SAML Metadata

SSO Flow





Single sign-on (SSO) is an authentication mechanism that allows a user to log in to numerous linked but separate software systems using a single set of credentials. We have two basic entities when it comes to Single Sign-On (SSO) -

  • Identity Provider (IdP) - This entity is in charge of verifying the user's identity and communicating user information with the Service Provider (SP). In a nutshell, the identity provider delivers identification data.
  •  Service Provider (SP) - This entity is responsible for providing services to the user. From the IdP, it obtains the user's identity.
Consider the following scenario to better understand SSO: You've lately started working at XYZ, a new company. You've been given a work email address as well as access to a dashboard. After logging in, you'll see icons for all of the company's external services, including Salesforce, Jira, and others. When you click on the Salesforce icon, a background procedure occurs, and before you know it, you've signed into Salesforce without ever providing any credentials. All of this is possible because SAML is in use.

SAML stands for Simple Assertion Markup Language, it is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP). 

The IdP and SP entities must be aware of the following in order to successfully interoperate -
  • The public key(s) used by the entities for encryption or authentication
  • The endpoints associated with the entities
  • Supported identifiers format
  • Supported attributes format
By sharing their respective Metadata files, these data are shared between IdP and SP (Usually exchanged over emails). As a result, having a basic understanding of the different tags used inside the SAML metadata is required in order to set up the configurations correctly.


SAML IdP Metadata example (Obtained from OneLogin) - 




The following are the basic tags/attributes of the SAML Metadata - 

  • EntityDescriptor - It describes the features of an entity.
  • xmlns - It defines an XML namespace.
  • EntityID - This attribute describes a unique identifier for identifying the entity.
  • IDPSSODescriptor - It describes the SSO identity provider's information.
  • KeyDescriptor - Provides information about one or more public keys that are associated with the entity being described. The word "use" describes the key's function. Individual keys can be tagged for either signing or encryption. The given key is labeled "signing" in the current example.
  • KeyInfo - Container for describing keys.
  • X509Certificate - The public key associated with the IdP. The public key should be used to verify the SAML responses received.
  • SingleLogoutService - Describes the endpoints/URI the entity must send the logout request to.
  • Bindings - It indicates the protocols IdP will use for exchanging the messages. In the current example, the HTTP-Redirect binding is used. Alternately HTTP-Post or HTTP-Artifact binding can be used.
  • Location - SP routes messages based on the location attribute in the IdP metadata.
  • SingleSignOnService - It specifies the endpoint through which the IdP manages the authentication requests received from the SP.

SAML SP Metadata example  - 





Additional tags and attributes may be included in the SP/IdP metadata file. The scope of this blog does not allow for a detailed description of each tag and attribute. For further details on all of the tags and attributes, see the following Oasis document - Oasis metadata guide

Reading and establishing the SAML SSO can be a time-consuming task. Building/using a SAML metadata parser can help speed things up. At - SAML Metadata Parser you'll find a custom implementation. The parser can read an XML string or file and return a SAML object that includes all of the necessary IdP and SP configurations. It can also convert the output to a SAML Passport compatible format. This project could be expanded to automatically configure database values, making the entire process more efficient.

That's all for today. There's a lot more to talk about, but I'll leave you with the reading list and the SAML Metadata Parser project I mentioned before.

Comments

Post a Comment

Popular posts from this blog

Node.js: Thread pool

Let us begin by defining a thread. Wikipedia states that - In computer science, a thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically a part of the operating system. The implementation of threads and processes differs between operating systems, but in most cases a thread is a component of a process.   I n Node.js, there are two types of threads: one Event Loop, also known as the main thread, and a pool of k Workers in a Worker Pool, also known as a thread pool. The libuv library maintains a pool of threads that Node.js uses in the background to perform long-running operations without blocking its main thread. To handle "expensive" tasks, Node.js employs the Worker Pool. This includes I/O for which an operating system does not provide a non-blocking version, as well as CPU-intensive tasks in particular. So, in essence, the threads are executed by the processor. Let's say a system or m...
Post a Comment
Read more

How to build wordle?

  Following the latest trend in the game, I decided to create my own wordle game. The primary difference between my game and the original is that you have 100 chances to guess the word instead of only 6. Furthermore, you are not limited to a single word every day; you are free to play as much as you wish. Here's how I like to organize my directories and files: Let's begin with a simple class that will house our main logic. The class will be called "wordle," and it will include the following features. - Choose a word at random. Validate the user's input and provide a proper response (green, yellow & grey colours will be used to indicate whether the words are in the right positions represented by 2, 1, 0 respectively). Check the game's progress. The code above is in charge of picking a random word. It's worth noting that the source file and our wordle logic have been separated. This is to reduce code coupling and will be handy if we need to give an al...
Post a Comment
Read more