I need to integration SAML 2.0 with our app using Google Identity Provider
Hi
Our app is currently using Google Cloud Platform and Firebase in its architecture, and I've been assigned to integrate SAML 2.0 using Okta into the app. I am really confused with the different terms I've on both platforms. I've been following the guide on Okta and Google Cloud Platform but still unable to successfully crack this problem.
My questions are from both Okta and Google Cloud Platform side which I'll ask here one by one
Okta when creating a new Application
Audience URI (SP Entity ID) what is this ?
Default RelayState What is this ?
Identity Provider Single Sign-On URL:
Identity Provider Issuer:
Now Google Identity provider is asking for some fields, all I need to know which fields of Okta are relevant to Google Identity Provider
idpEntityId
providerId
rpEntityId
ssoUrl
I know this is a very basic question. But any help would be really appreciated.
Thanks
Implementation of Okta app with description :
Single sign on URL : The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
ex: https://your.domain.name/Controller/Action
Audience URI (SP Entity ID) : The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
ex: https://your.domain.name
Default RelayState :Identifies a specific application resource in an IDP initiated Single Sign-On scenario. In most instances this is blank.
ex: keep this as a blank .
Using Attributes Statement you can pass user email and first name and last name fields to service provider.
After completing setup "On SignOn Tab" click on "View Setup Instructions" where you can get "Identity Provider Issuer:" detail like : http://www.okta.com/XXXXXXXXXXX
where "xxxxxx" is unique. (you app identification)
For the Google Identity Provider fields:
IdPentityID: The SAML IdP entity identifier
providerId: The unique provider identifier. For a SAML provider, this must be prefixed by saml.
rpEntityId: The SAML relying party (service provider) entity ID. This is commonly the URL of the app. On the SAML identity provider, this is referred to as the audience. So this would be Audience URI or SP Entity ID from Okta.
ssoUrl: The SAML IdP SSO URL (Identity Provider Single Sign-On URL). This has to be a valid URL.
I found these links that may help you integrate SAML 2.0 with your applications. You can find how to Manage SAML and OIDC providers here [1], and how to use Okta to authenticate users here [2], and how to sign in users with SAML here [3].
[1] https://cloud.google.com/identity-platform/docs/managing-providers-programmatically#node.js
[2] https://cloud.google.com/endpoints/docs/openapi/authenticating-users-okta
[3] https://cloud.google.com/identity-platform/docs/web/saml#redirect
Related
I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants
Logging in to an application using federated IDPs such as Google or Facebook with protocol OIDC/SAML
what we need to prepare for it, any advice?
example
XYZ application is an IdP (Identity Provider) like Google or Facebook
1. XYZ application will be central user identity provider
2. Log in to another application with XYZ login credential
3. Log in to another application directly in the same browser (i.e. without being redirected to XYZ application)
4. we are using WSO2 IS version 5.10
According to the description, XYZ is a Identity provider similar to Google or facebook. This XYZ has the user identities and you want to login to an application using this XYZ idp through the WSO2 IS.
WSO2 IS supported federated authentication using standard protocols such SAML, OIDC and WSFederation.
You can refer to this documentation to understand further on this identity federation. You can use the default OIDC authenticator or SAML authenticator to add the XYZ as a federated IDP to WSO2 IS.
I will want to use Okta as SAML 2.0 based IDP, AWS Cognito as service provider, and Cognito user pool to have federated IDP configuration.
I have followed all the steps mentioned in AWS sites listed below -
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html
https://aws.amazon.com/blogs/mobile/amazon-cognito-user-pools-supports-federation-with-saml
Okta does not provide any support or documentation - https://support.okta.com/help/answers?id=9062A000000QucAQAS&feedtype=SINGLE_QUESTION_DETAIL&dc=xSAML&criteria=OPENQUESTIONS& .
Please note that I have tried Okta as IDP, established trust with AWS IAM, and using Okta user logs in to my AWS account. This works fine following the detailed documentation provided by Okta. However, my need is different wherein I would like to use Okta as SAML IDP in my AWS cognito user pool.
Any detailed documentation containing configurations to be done at both ends i.e. AWS and Okta, will be helpful.
I did setup Okta with Cognito through SAML with the following:
Okta side:
Single sign on URL will be your cognito SAML endpoint in the form of:
https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse (see under your user pool, "App integration" -> "Domain name" for the first part of the URL).
Audience URI (SP Entity ID) will be the URN of your cognito user pool: urn:amazon:cognito:sp:<yourUserPoolID> (see your user pool "General Settings" for that pool ID).
Attribute statements, you want to add whatever attribute you set as mandatory in your pool, in my case it was email.
Cognito side - User pool:
Federation -> Identity providers: Choose SAML and import the metadata.xml from Okta.
get to your App client settings, under App integration and enable the newly created IDP
Cognito side - Identity pool:
Under authentication providers, SAML tab, you'll be able to check the Okta provider checkbox as you mentioned that you already have it as a trusted provider under IAM.
That should be about it.
Resources that were of help: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
EDIT: It seems that clarification was required on the Audience URI/Audience Restriction Okta setting. As Julien below mentioned is in the form of urn:amazon:cognito:sp:region_randomid (ie. urn:amazon:cognito:sp:eu-west-1_SdsSdwSD3e), you don't need to add yourself the region.
Disclaimer: I'm not a SAML expert
We had to face the same problem here.
After authentication in Okta we were redirected to the Cognito login screen.
I tried to follow the advice from WenWolf with no success.
I analyzed the SAML flow using the SAML-tracer extension in Firefox.
An error message was hidden in the redirect URI after the assertion POST.
GET https://XXXXX?error_description=Error+in+SAML+response+processing%3A+Audience+restriction+in+SAML+Assertion+does+now+allow+it+for+urn%3Aamazon%3Acognito%3Asp%3Aeu-west-1_YYYYYYYY+&state=e4314f8a-e321-4302-91fe-2a4657a9c582&error=server_error HTTP/1.1
Which gives you :
Error in SAML response processing: Audience restriction in SAML Assertion does now allow it for urn:amazon:cognito:sp:eu-west-1_YYYYYYYY
To fix it in Okta:
Change the Audience Restriction field in Okta by replacing the value initially recommended in the documentation and the blog
urn:amazon:cognito:sp:IDFoundInAppIntegrationAppClientSettings
by the value indicated in the error message
urn:amazon:cognito:sp:eu-west-1_YYYYYYYY
This ID also appear in the auto-generated group in Cognito General settings>Users and groups
PS: Keep the other advices on NameId and required attribute mapping that needs to be consistent on both side.
The basic topology is like this:
WSO2 IS as my service provider and takes care of authorization via XACML, our existing internal IdP takes care of corporate authentication (SAML, Oauth2).
I'd like to receive a guidance about best practice how to configure an outbound Federation using the WSO2 IS as a proxy for SAML protocol. Is it correct to separate the user ID domain, by creating so a called "tenant" in order to route the SAML requests though an outgoing STS connection to an external primary IdP? Is this configured under Identity Provider - add Identity Provider - Federated Authenticators - WS Federation Passive Configuration?
Domains and Tenants?
As an example, I would like to configure an account like this. ID = falb#red.com, where the federated lookup will forward my request to the IdP responsible for the domain "#red.com". Is there any discovery, or smart routing mechanism available that is able to identify the "red.com" domain, without need of creating a tenant?
XACML Access?
In a more advanced scenario, once we have a federation between the WSO2 server and and external IDP, is a service provider, a web application server, able to dispatch a PEP request by attaching a SAML token, without use of preceding entitlement routines, like passage of login and password. Is there an entitlement routine in place that accepts SAML tokens at the PDP side and validates it though the SSO federation mechanism?
Thanks in advance for your guidance.
Regards
Claude
My understanding of SAML and WSO2 is very basic so sorry in advance. I'm wondering if access to a SSO service can be restricted to a subset of users?
Yes you can restrict the access to a SAML SSO Service Provider to a subset of users. This is an authorization requirement indeed. When the service provider redirects the user to the Identity Provider (in this case to the WSO2 Identity Server), the service provider can request claims about the user from the Identity Server (claims such as Role, Email, Age, Country etc). Then after successful authentication of the user at the Identity Provider, the Identity Provider will send those claim values to the SSO Service Provider along with the SAML Response message. The SSO Service provider can read these claims and can decide if should let the user access the service or not. (For example by looking at the Role claim, if use has a particular role then SSO Service Provider allows the user, if not refuse)
I think that according the SAML specification, Identity provider can return error state. It has an element in SAMLResponse dedicated to this -> Status. But WSO2 Identity Server (up to 5.0.0), as far as I know, doesn't automatically support this behavior. One should change WSO2 authorization code to achieve this behavior...
Source:
SAML 2.0 Overview - line 1131, chapter: 3.2.2.2 Element
<samlp:Response
...<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
**Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>**
</samlp:Status>
<saml:Assertion ...
Instead of Success IdP can return:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
or similar... see:
SAML2.0 handling SSO error