We configured our SPA with mod_auth_mellon and the SP Initiated setup works well.
We now want to add the ability to dynamically route to SPA URL which initiated the SSO SAML call.
Below is the current flow
User opens the URL http://foo.com/user/1
Session is expired, so the SP initiates SSO handshake and redirects user to IDP (Ping Federate).
User logins on IDP and after successful authentication is redirect to http://foo.com/sso_callback
In Step(3) we now want to redirect back to http://foo.com/user/1.
What configuration changes should I make in SP / IDP configuration to enable dynamic routing?
If you are using SAML 2.0 then you want to use the RelayState. When creating your AuthN request in step 2, you will want to make sure that you as the Service Provider are including your desired RelayState. The value you provide to the IDP for RelayState will be carried through the transaction and given back to you as a URL parameter in Step 3 when the user POSTs to your ACS # http://foo.com/user
Here is an example flow:
User opens the URL http://foo.com/user/1
Session is expired, so the SP redirects the user to the IDP with an AuthN token AND a RelayState value of http://foo.com/user/1
IDP Authenticates user
IDP directs the user to POST a SAMLResponse token to the SP ACS # http://foo.com/sso_callback, and also includes an additional URL Parameter for RelayState
SP consumes and validates SAMLResponse at the ACS, and if successful then redirects the now active sessioned user to the value contained in the RelayState parameter
On the off chance you are not doing SP init SSO and are instead doing a generic redirect to an IDP initiated SSO Url from PingFederate, you can add the url parameter TargetResource to your IDP initiated SSO redirection to then receive it back with the SAMLResponse later.
Related
We have set up identity federation between our ADFS environment and another IDP (Siteminder I think).
Both SP and IDP initiated sign on are working fine.
Now, we want to provide all users a link that authenticates them through idp initiated sign on and redirects them to a specific Url.
Our identity provider suggests that we add the RelayState query parameter to the end of the idp initiated sign on request, to have this request :
https://<idp-sso-endpoint>?SPID=https://<adfs-server>/adfs/services/trust&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState=<target-url>
but the following error occurs on our adfs server :
Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException:
MSIS7001: The passive protocol context was not found or not valid. If
the context was stored in cookies, the cookies that were presented by
the client were not valid. Ensure that the client browser is
configured to accept cookies from this website and retry this request
Does anyone have an idea how to use the RelayState parameter with and IDP and ADFS as a service provider ?
Thanks.
You cannot just put a URL at the end of relaystate. It needs to make sense to the receiver. See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj127245(v=ws.10)#configuration-required for details on how to encode this correct to make sure AD FS receives something that makes sense.
The encoding instructions are valid but the method for configuring AD FS will be dependent on the AD FS version. In later versions of AD FS there is a EnableRelayStateForIdpInitiatedSignOn switch in the set-adfsproperties cmdlet that can be toggled.
We have a Spring MVC application hosted in Google App Engine. Now it has been integrated with Single Sign On using Spring-SAML Extension. After successful login, we are able to receive SAML response from idp. Now i have to capture the URL parameters passed by my initial URL.
Initial URL: (GET Request)
http://localhost:8080/spring-security-saml2-sample/download?filename=Culture%20Close-Up&Type=Word&order=1&name=jack&city=Seatle
invokes idp -> login
Response from idp after successful login (POST)
http://localhost:8080/spring-security-saml2-sample/saml/SSO
I am able to receive the response, but the initial parameter values passed in
(eg:name=jack) is not receivable. How to preserve the parameter values.
Thanks.
I am using Symfony2 and I have to Connect my user through SSO to another service using Saml Request , in this Case we are the Service provider , from what i gathered ; once the user hit the link im supposed to redirect him to the bridge with a Saml request having the data so he can be authenticated , but i don't know which bundle to install or how to send a Saml request in the first place .
any help will be appreciated
You have 3 alternatives here:
Use bundles based on php-saml like OneloginSamlBundle
Use bundles based on simplesamlphp like SimplesamlphpBundle
Use SamlSPBundle, a bundle based on lightsaml
If you decide to use OneloginSamlBundle, the AuthNRequest is sent from the SP to the IdP when the SP-initiated SSO happens.
Resources/config/routing.yml defines the SAML routes. /saml/login will initiates the SSO process.
When you access /saml/login the loginAction defined on the SamlController.php happens and an AuthNrequest is sent to the IdP SSO url, and a SAMLResponse is expected at the SP on the ACS endpoint. That SAMLResponse is the one that will contain user attributes in order to SSO or provision that user on symfony2 app.
I have configured SAML 2.0 application on OKTA.
For SAML 2.0, Okta (acting as the IDP) supports 2 methods of authentication:
In IDP initiated the flow is:
User goes to Okta (assumption is that the user has an existing Okta session)
User clicks on the Chicklet and this sends a SAMLResponse to the configured SP
A session is established with the SP
User is authenticated
This flow is working
In SP initiated the flow is:
User goes to the target SP first. They do not have a session established with the SP
SP redirects the user to the configured Login URL (Okta’s generated app instance url) sending the SAMLRequest.
Okta is sent SAMLRequest (assumption is that the user has an existing Okta session)
Okta sends a SAMLResponse to the configured SP
SP receives the SAMLResponse and verifies that it is correct. A session is established on the SP side.
User is authenticated
This flow isn't working: I got 401 Unauthorized "You do not have permission to view this directory or page."
The SP won't redirect to Okta (IDP)
I have tried changing the permissions of the site for 'Everyone' to Full Control, but without success.
Make sure that you have configured your SAML 2.0 application to use the correct Single Sign On service URL.
In Okta, you can determine which Single Sign On URL you should use for SAML SP requests as follows:
Visit the Admin section of your Okta organization page
Click on Applications
Select the application that you are configuring
Click on the Sign On tab for that application
You should see a page similar to the one below:
From this page, either click on the "View Setup Instructions" button or on the "Identity Provider metadata" link to get the URL your SAML SP should be redirecting users to. This URL will be called either the "Identity Provider Single Sign-On URL" or can be found in the SAML metadata file as the "Location" attribute in the "SingleSignOnService" tag.
I want to implementing SAML P in a web application as a SAML Service Provider. I wonder how my application can know that a user X has logged out from the IdP?
I've read that the IdP might make a broadcast when the user logged out from the IdP directly or from any other SP but the IdP I'm using is not making any broadcast.
Should I redirect to the IdP in the Application_AuthenticateRequest event handler?
You have heard right: The identity provider must send a LogoutRequest to all ServiceProviders in the session (on the log out URL that the SPs have registered with the IdP) - see page 37 of http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf.
In SAML there is no other standard way for SPs to deterministically know of user logging out.
Have you registered your Logout URL with the IdP?