Actually, we use Google IdP as a SSO / SAML authentication type for our application.
We have configured it to connect our users to our application and it works fine.
But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.
In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.
When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.
Is that normal ?
Does the Google IdP support the attribute ForceAuthn="true" ?
I didn't find any documentation on this topic.
Here is an example of the SAML request that has been sent to the IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="#url_sp"
ID="#id"
IssueInstant="2021-05-31T15:34:19Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=#id"
ProviderName="#ip"
IsPassive="false"
ForceAuthn="true">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
#signature_info
</Signature>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Official answer from Google support: "Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths"".
Related
Does any one know, how to add additional assertions in a SAML request to federated iDP? The problem is that there is no nameID in SAML request:
?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://testserver.domain.local:9443/commonauth"
Destination="https://idp.eu.safenetid.com/auth/realms/XXXXXXXXXX-STA/protocol/saml"
ForceAuthn="true"
ID="_b53cdb3765c8b92fa51d6079a061deaf"
IsPassive="false"
IssueInstant="2021-02-03T10:45:48.275Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">WSO2</samlp:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
We configured federated iDP - SafeNet and wont to use it as second factor auth.
I configured 2 steps in SP where first step is basic auth and second step is federeted iDP - SafeNet (Saml2webSSO). But, as you can see WSO2 do not include nameID in request and username do not populated on safenet login page. May be we can, some how, configure what to include in SAML request?
You can enable NameID Policy in the authentication request by enabling the Include NameID Policy configuration in your IDP configuration. (Identity Provider > Federated Authenticators> SAML2 Web SSO Configuration )
You can add the requested NameID policy as well in the NameID format config.
I've been trying to integrate SAML with WSO2 cloud.
I have some successful experience with other vendors like onelogin, okta, ping one.
But I get a obscure 500 error with wso2.
I get a 500 error with every request I try.
I don't need much - just a SAMLRequest format that will work for WSO2.
For example, now I'm passing:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest ID="z9dac5520-d4a4-4da9-b71a-483948c1655c" IssueInstant="2017-04-29T08:40:39.677Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
I defalate, base 64 encode and url encode it.
I tried different variations but nothing works
thanks
The request has no value for the Issuer element. Why would any IDP accept a request from an unidentified SP? You need to use a value that identifies the SP and that was previously registered out-of-band with the IDP.
Can you explain a bit more what you are trying to do here. Is that enable SAML based authentication via wso2 cloud for one of your application ? If that is the scenario, you need to login to Identity Cloud [1] and configure a service provider as described in [2]. Then only you can send SAML request to Identity Cloud for authentication.
[1] https://identity.cloud.wso2.com
[2] https://docs.wso2.com/display/IdentityCloud/Configuring+SSO+for+Custom+Applications
Once Service provider is configured to accept SAML requests as described in previous links, you can send standard SAML request to Identity Cloud. Sample SAML request is given bellow. Note that AssertionConsumerServiceURL, Destination, Issuer attributes should be changed as relavant for you. Each tenant gets a separate SSO service URL, which is in the format of "https://identity.cloud.wso2.com/identity/t/{TenantDomain}". This will be the value for "Destination" in SAML request.
<samlp:AuthnRequest AssertionConsumerServiceURL="http://apps.com/travelocity/home.jsp"
Destination="https://identity.cloud.wso2.com/identity/t/demo1org"
ForceAuthn="false"
ID="a9b1b4992f048bb1004677207cc97097a73e47cdaf4ba21360ef8cf38dc76702"
IsPassive="false"
IssueInstant="2017-05-02T12:59:45.409Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">wso2App1-wso2org-1.0</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
Could you please explain why the WSO2 Travelocity test application requests a "Domain Name" input field in the sign-in screen, when the WSO2 is configured to use, beside basic auth, also a federated authentication mode (WS Release 5.1 - Advanced Configuration). What is the reason to request the domain name part, as for external authentication, for example by use of SAML protocol, I expect to see a redirect onto the external IdP login screen. Apparently the Login redirect is rejected due to this missing input field at the Domain Name. Is there a sample configuration and use case available for setup of outgoing IdP federation?
Further Details from Testings
I've updated the IdP configuration following the WSo2 setting which describes the federation effort with help of Shibboleth products (see below). After this change now I see a login screen from the external IdP ("zee") as well as an interchange of messages between the browser and the external IdP. I also see a SAML POST message in the SSO protocol tracer plugin of the Browser, displaying a long list of claim assertion data, which signals that Login was successfully processed, returning the profile data of my account.
At the Travelocity service provider (SP), now I see the following error message at the screen:
"The entity name must immediately follow the '&' in the entity reference."
I've validated the SAML feedback data and its XML format consistency using an online XML validator, which passed successfully for SAML response XSD format. Such type of XML parser errors are often caused by use of special characters, but its not the case at the current assertions and tests.
The issue happens inside the Travelocity which has difficulties to read the SAML assertion data.
Suggestions from the community how to parse the SAML feedback data using the Travelocity tool, are welcome.
Refer https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On for configuring Basic scenario with travelocity app
To configure federated authenticators:
https://docs.wso2.com/display/IS510/Federated+Authentication
For Advanced Configuration with Multiple Authenticators
https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
Refer https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider as an example use case.
It seems that you have custom authentication since you have domain name filed at the login prompt.
I have a site that has SAML enabled security on it's web services. How can I use urllib2 to access this site? Are there any examples showing what I have to do in order to get this to work?
When I access a SAML secure site, should the service url automatically re-direct me to the SAML login site?
Thank you
Answering your second question first: yes, when there is an authentication attempt against a SAML secured resource by an unauthenticated user, the site will redirect to the identity provider.
I'm not particularly familiar with SAML secured web services. The magic words to ask the provider of the resource is what SAML Binding is used. The OASIS spec is at https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf See the sequence diagram on page 25 of 69 : the Enhanced Client or Proxy (ECP) Profile would work well for a webservice.
I'm considering securing a whole Java EE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.
As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?
Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?
You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.
The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.
In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.
You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.