SAML based User Authentication and SSO in Web Application

Introduction

In web application, user management, authentication and authorization are common aspects which need to be developed with each web application. There are various techniques for authentication and authorization implementation available which is required to evaluate based upon need and implement.

Security Assertion Markup Language (SAML) is open standard for exchanging authentication and authorization data between two parties. It is very popular for implementing Single-Sign-On in applications where user identity is managed in IAM solution or Identity Providers (idPs) and user can authenticate from idPs and access the web application with SAML token (a XML based token which contains details about the user / principal, access details about issuer and issued to).

Let’s discuss about SAML and it’s implementation in detail.

Business Needs

For each business, authentication and authorization is common need, which can be developed with various available techniques like OpenID Connect, OAuth 2.0 etc.

SAML is one of the popular technique which is quite reliable, secure and trusted way to implement authorization and authentication between idP and relay parties.

Now let’s form a use case as per business need:

• There are multiple web applications available to solve the purpose of a business
• A single set of users are required to access the web applications, where one user may use one or more web applications
• Business wants to keep single user management system to that user and access management can be handled effectively
• Effortless authentication and authorization to be implemented where user does not need to do login again-and-again while visiting each web application
• Proven security algorithms to be implemented to ensure application security

Technical Stack

The SAML based authentication and authorization can be implemented in any web based programming language e.g. .Net, Java etc. There are libraries available which implement OASIS SAML specification and helps in development and integration of SAML based authentication.

Also, number of idPs support SAML based authentication like Azure Active Directory, Onelogin, Okta and so on. For demonstration purpose, we have used SSO Circle.

For demonstration purpose, we have used Java based web technologies like:

• Java
• Spring Boot, Spring Web and Spring Web Security
• HTML, CSS and Javascript
• SSO Circle or Azure Active Directory as idP

Audience

This article discuss about authentication and authorization with SAML token and identity sharing between two parties. It provides complete understanding of SAML implementation and provides support to Developers, Architects and Product Owners in evaluation of authentication mechanism and SSO implementation.

Problem

Based upon the requirements defined in ‘Business Needs’ section, below are the technical problem statements:

• Need to have a single user and access management something like IAM and idP solution.
• A secure and reliable medium to be selected for user identity and access claims sharing from idP to application
• Once user logins in idP, user can visit multiple application without having login again-and-again which directs to implement SSO

OAuth vs SAML

The requirement defined in ‘Business Needs’ can be solved with SAML based technologies and OAuth based implementation.

Now, question is which one to choose and why?

Firstly, we need to understand, SAML protocol and tools are much older than OpenID Connect and OAuth and therefore it is based on XML tags which carries the identity and access rather than the newer technologies like JSON which is used in OAuth Bearer token.

SAML covers both authentication and authorization where as OpenID Connect is designed for authentication and OAuth designed for authorization.

Being a little older than OAuth, SAML is much mature from security perspective and less support with mobile technologies so it is only used for Web Applications.

As observation, SAML majorly used in enterprises where multiple web applications provided to complete the business task whereas OpenID Connect and OAuth are used mostly with social media in public internet.

Based upon these comparison, if we are going to create new web application, we should move to newer technology like OAuth but if we have already polyglot infrastructure available where some of web applications already developed, there is no mobile technology required, we can think of SAML based SSO implementation.

Terminologies

In SAML based implementation, below terminologies are often used:

• Identity Provider (idP) — Identity Providers are system which provide storage and management of user / service identity principal. In other words, an application where user stored and managed
• Service Provider (SP) — Service Providers are service which integrate with Identity Provider and whenever authentication completed, idP redirects URL to Service Provider with SAML token, where token is validated and then session created in web application.
• SAML Token — A XML based token which contains various fields including, principal name, issuer details, issue to details, Signature of token. Often, it is sent from idP in encoded form. You can see example from: https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/blob/main/websso-saml-service-provider/sample-saml-token.txt. There are some online tool available which parse it convert to XML document.
• SAML Token Provider — A subsystem of idP which generates SAML token based after user authentication completion
• Security Assertion — Once SAML token received at Service Provider (SP), a set of validation performed on token to ensure token is valid. This is called security assertion.
• RelayState — The SAML token often used for SSO implementation, so whenever token is generated, additional flag is added to redirection response to SP which tell after SAML token validation, which application to be opened
• SAML Metadata — SAML Metadata belongs to SAML protocol, it carries information about the Identity Provider and Service Provider deployments. It is used while integration of Identity Provider and Service Provider. Most of the Identity Provider provides upload of Service Provider metadata for integration.

Solution

In previous sections, SAML has been discussed from business need perspective. Now, let’s discuss about SAML, its features, implementation in Web Application and workflow of SAML implementation.

Security Assertion Markup Language (SAML) is a set of protocol and open standard for exchanging authentication and authorization data from identity provider to service provider. To carry the identity and access data, a token is generated by SAML token provider in XML format which contains tags and value.

The SAML token exchanged from identity provider to service provider via Browser so it is often passed as payload while request to service provider. SAML specification are managed by OASIS Security Services Technical Committee (SSTC) and till now SSTC has provided second version of SAML protocol so it is often referred as SAML 2.0.

The data exchange happen based upon XML technology so below are also touched with SAML:

• Extensible Markup Language (XML)
• XML Schema
• XML Signature
• XML Encryption

SAML can be used for HTTP and SOAP based communication for identity exchange.

The token includes tags and data for following:

• issuer
• issuer X509 cert
• token signature
• principal id
• recipient data
• conditions e.g. not before and not after
• audiences
• other attributes — a number of additional attributes can be added as attribute name = attribute value

Let’s understand the workflow how authentication performed in SAML based authentication with diagram:

Figure 1: SAML Authentication flow

As depicted in above flow diagram, we can see:

• When user tries to open web application, if there is no valid user session on the browser, it redirects to idP
• The idP open a login page where user provides username and password. Based on user validation, user is identified and SAML token created.
• Once SAML token created, idP redirects it to Service Provider via browser
• When service provider receives the SAML token, it is parsed and security assertion validation performed to ensure token is valid
• If service provider’s token validation result positive, a user session is created and response provided to user’s browser

Below is the sequence diagram depicts sequence of events performed while SAML based authentication:

Figure 2: Sequence diagram of SAML based authentication

SAML is highly secure as the token issuer is validated with X509 certificate and token is also validated for its integrity with signature verification.

Conclusion

SAML is one of the most popular and widely used mechanism for authentication, authorization and SSO implementation in web applications. It is highly used for enterprises applications where there are multiple web applications are available to complete the business solution and user does not want to login again-and-again.

It is secure, reliable and trusted technique for authentication with help of identity provider. There are number of identity providers are available which provides SAML based authentication like:

• Active Directory Federation Service (ADFS)
• Auth0
• Okta
• Onelogin
• Azure AD

and so on.

Apart from the paid solutions, there are open source products available which can be used for Identity Provider for SAML based authentication implementation.

Links of Work on GitHub

This article discuss about SAML based authentication & authorization and SSO implementation. Although, SAML based authentication can be implemented in different programming languages and with number of Identity Providers (idPs).

To demonstrate the SAML implementation, source code has been developed for Service Provider (SP) along with some endpoint resource using Java and Spring Boot framework with Spring Web and Spring Web Security.

The code can be checked out from GitHub and executed on local for demonstration purpose. The SP can be integrated with any Identity Provider (idP) and we used SSO circle idP for demonstration purpose. Therefore, need to create account in SSO Circle and integrate the metadata of SP into SSO Circle.

Link of SSO Circle: https://www.ssocircle.com/en/

GitHub Source: https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/websso-saml-service-provider

The steps to build and run project has been given with GitHub page. Also, the properties has been explained for setup purpose.

To integrate Service Provider with Identity Provider, the metadata can be generated from service provider and uploaded into identity provider. To generate service provider metadata, hit URL like http://myserviceprovider.com/saml/metadata.

Where myservcieprovdier.com is domain name of the host where service provider is running. To test on local, make an entry in etc/hosts file for localhost and domain mapping.

References

• Onelogin SAML Reference — https://www.onelogin.com/learn/saml
• SAML Explained — https://www.csoonline.com/article/3232355/saml-explained-how-this-open-standard-enables-single-sign-on.html
• OASIS SAML Reference — http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
• GitHub Source — https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/websso-saml-service-provider

About the Author

Sandeep Kumar holds Master of Computer Application degree working as Java developer having 10+ years of working experience. He has experience design and development of enterprises applications in domains like education, content, laboratory, and banking; got various appreciation for his solutions including spot appreciation for Glassfish to JBoss migration project. He secured Google Cloud Developer certificate and participated into OCI trainings. He is a part of HCL-ERS platform as Sr. Lead developer.