How does processing a SAML assertion work? - web-services

I need to be the service provider in a SAML solution and want to know how the processing of assertions work. I could not find the answer here.
I imagine the assertion would say something like: "I'm John Doe, My ID is: 999"? Do i need an User list that is "in Sync" with the identity provider? Do i need an Access Control list has the same ID's as the SAML Assertions?
Scenario: I have a database with ACL's. I will be the Service Provider while a remote 3rd party system will be the identity provider.
I don't understand how a remote system would know what users i have in my Access Control lists to be able to authorize anyone.

The mapping between user ids at the IdP and users at the SP is not covered by the SAML spec itself. I'd suggest you look at section 5.4, "Establishing and Managing Federated Identities", in SAMLOverview. That should help you determine the most appropriate approach for your scenario.
For the system I work on (which serves as SP for multiple clients/IdPs), we have a mechanism by which clients can associate their own identifiers with users on our system; this mechanism is outside of the SAML implementation. When clients send us SAML assertions, we expect those assertions to identify users using those identifiers (as well as identifying the client themselves using another shared identifier).

Related

Kerberos administrator authorization

I'm writing linux application that integrates with MS Active Directory. For this purpose I'm using Kerberos. I've already implemented mechanism that authenticates domain user with given credentials, but now I want to check if user is member of administrators group.
So I have creds obtained from the function.
error = krb5_get_init_creds_password(context, &creds, principals,
password.c_str(), NULL, NULL, 0, NULL, NULL);
And here I want to implement logic that authorizes user/administrator
if(!error) {
// admin check
}
I'm thinking of using the krb5_verify_init_creds function but I'm not sure how can I do that.
Kerberos does not do authorization, only authentication. (i.e. it can figure out who you are, but not what you are allowed to do).
In general, once you have the kerberos ID, you would ask some authorization service what that ID is allowed to do. In this case, the most straightforward thing to do is to make an ldap query to find out if the user is a member in the group you are interested in.
MS kerberos violates this principle by adding extra group information that AD knows about to the kerberos service tickets. However, I am not aware of any standard kerberos API's that provide access to this information.
As Fred noted, Kerberos is for authentication, not for authorization. While Kerberos ticket issued by an AD DC contains MS-PAC record with additional information about membership of the AD object mapped to this Kerberos principal, you need more than just knowing format of the records presented in the ticket to make use of it.
In a typical Linux environment your application is better to rely on PAM stack to decouple authentication and authorization steps. Typically a PAM session setup is used to run authorization checks. If your Linux machines are configured to use SSSD (either with id_provider = ad or with id_provider=ipa and cross-forest trust between FreeIPA and AD), you can rely on pam_sss to handle both authentication and authorization steps via SSSD.
Recent versions of SSSD support GPO-based access by mapping GPO logon rights to PAM services.
With SSSD your AD users and groups would be presented as POSIX users and groups. This allows you to build a simple access control based on the group membership that you can obtain via getgrouplist(3) call after you mapped Kerberos principal to local user name with krb5_aname_to_localname().
If you still need to know additional information about the user mapped from Kerberos principal, you can utilize infopipe interface of SSSD. The information available through infopipe is gathered from both Kerberos ticket (when available) and AD LDAP (Global Catalog or DC directly). By using infopipe you wouldn't need to resolve SIDs in MS-PAC to names, resolve group membership and verify signatures of the MS-PAC and other components of the ticket as SSSD does it for you. See https://fedorahosted.org/sssd/wiki/DesignDocs/DBusResponder and http://www.adelton.com/apache/mod_lookup_identity/ for practical implementation.

How to link developer authenticated user across devices in Cognito

I'm just trying to get a handle over this framework and I want to confirm that my approach is correct.
I can authenticate my own user using the method: getOpenIdTokenForDeveloperIdentity and supplying an IdentityPoolId and a Logins key-pair with my Developer provider name and a token which I provide.
Now, from what I understand, when the user logs into a second device, in order for Cognito to understand that this is the same user, I have to provide it with an IdentityId. However, I'm not sure of the best way to get the IdentityId programmatically so that it will match up with the initial login.
The only technique I can think of is to store the IdentityId in my own DB and provide my own method for retrieving it. Is this the best way? Or should I be working with this framework differently?
I'm still a beginner to AWS in general and I'm just trying to understand the best practices for this framework.
BTW, I'm implementing the Android SDK and the PHP SDK for my backend.
When you use getOpenIdTokenForDeveloperIdentity, it returns the identity id associated with the user identifier you provided. So if the user identifier you use is the users' username, when you call getOpenIdTokenForDeveloperIdentity with that same username from the second device, it will return the associated identity id. There is no need to store the identity id unless you want to, it is provided to you each time you call getOpenIdTokenForDeveloperIdentity.
This blog post may be of further help:
http://mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident
When you use Cognito, your user first authenticates with an Identity Provider (such as facebook, google or other Oauth provider), and the token you get back from it is sent to Cognito and is the key to tying your users information together across logins on other devices.
You don't need to store this information in a database, unless you are writing you own custom identity provider and not using one of the public ones available.

Building an Oauth2 API service, what is the use of client_secret

Good morning, we are a little company in Europe, and we need to set up some webservice for internal and external use. We decided to implement an autentication to those webservices, and i though to implement an Oath2 authentication. The problem is the following (besides the fact that i've only used the Oauth2 standard one time) that i do not really understand the use of the "client_secret", from the point of view of the service provider. Isn't the client_id enough to identify a client? Why is the client_secret needed exactly and how is it to be implemented in the general logic of the application?
Thank you for any response.
You want to make sure that the client requesting credentials is who you think they are, and the client ID is used in requests that users can see (in the URL). Without a client secret anybody could pretend to be any client application to trick users into granting access.

Do we absolutely need a STS for SAML?

I am trying to implement SAML enabled SOAP services for the first time and I have some conceptual questions regarding the role of a Secure Token Service (STS) in a SAML implementation.
User ---> Web Application ---SOAP/SAML--> Messaging Application
Basically the scenario is that the user logs into the Web application using his user name and password, web application in turn authenticate and authorize the user with an external service, on successful authentication/authorization, Web application creates a Sender Vouches SAML assertion with user as subject, signs the assertion with its private key, packages the assertion in a soap envelope using WS-S and makes a SOAP call to the messaging application. Once messaging application receive the request, it verifies the signature with the public key of the web application, pull the authentication and attribute statements out of the SAML assertion and based on them enforce auth policy on the end point.
As you can see in the above scenario there was no external STS involved however most literature I have read on SAML suggest that an STS is absolutely required. The question I have is that am I doing anything wrong with the above scenario since I cannot see any reason why I would absolutely need an STS. Sure it would be nice to have a STS but at least in my opinion, absence of it does not stop me from implementing SAML for my use case.
No, you don't need an STS for SAML tokens in web services. The STS exchanges one token (where 'token' includes things like username+password) for another, so it's useful in that your web service consumer can send some input token (typically username+password or a signature+X.509 cert for simple use cases) to the STS and get back a SAML assertion all ready to go.
Now, if you have the capability to create SAML tokens that will be accepted by your web service provider, have at it! No STS necessary - the actual SOAP message on the wire is identical whether or not an STS was involved in its creation.
I wrote a couple of blog entries a few years ago that detail some of this:
Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack
Anatomy of a SAML-Secured SOAP Message
Sun Access Manager 7.1 has been superseded by OpenAM, but the principles remain the same. In particular, the second entry is independent of any actual product.
You can leverage any of the open source SAML toolkits. If your application is written in Java and you are running on either JBoss or Weblogic, SAML support is built-in.

WSO2 Identity Server: Cannot use custom claims with OAuth2

We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).