SSO Workflow using SAML

25 Aug 2024    

Authentications are required for any application to store session or data attributing them to the user. The account is typically utilised to grant permission to private information, that could reside in a system, or a document itself.


This authentication has numerous methods. Basic authentication utilzing a username and password all the way to a federated active directory. These different ways achieves the same goal: allow a user to gain access to closed information; some providing more advantages over the other.


What is SSO?


To allow enterprise to maintain a single user management system and employees to use their corporate account to login to 3rd-party services without creating new accounts/credentials.


What is SAML?


Security assertion Markup Language is the most commonly used authentication protocol.


3 subjects in the picture


  1. Identity Provider (IdP)

  1. Service provider (SP)

The application that trusts the IdP and wants to use IdP for authentication.


  1. Principal

The user trying to log into SP via IdP


2 Types of Authentication Workflow


IdP initiated Login


Principal goes into IdP and view the list of SP he has access to.
Choosing the SP, they will be redirected to that SP


SP initiated Login


User goes to SP website and if there is no active session with SP, the user will be redirected to IdP for authentication.


On successful login, the principal will be redirected back to SP


SP Initiated Login workflow


  • Check for SP active session
  • SP sends authentication Request to IdP
  • IdP authenticates the user
  • IdP sends SAML Assertion to SP
  • SP creates session and logs in user

SAML does not maintain sessions so SP has to main.


  1. SP check if there’s an active session

Note that SAML do not store sessions, thus only done by the Service Provider (SP).


  1. SP sends AuthRequest to IdP. Clicking on Login, SP generates an XML message called AuthnReuqest with details:

  • Who sent the request (Issuer)
  • Where to redirect to after authentication (Assertion Consumer Service URL)
  • Security Measures (ID, issueInstant)

An example of XML message here


  • Encoded in URL-safe string, embedded as query param in the request to Idp and user related to the IdP Url indicated on SP side.

  1. IdP authenticates the user

IdP maintains its own session about the user.
If an active session exists for user, the user is redirected to SP.
If session do not exists, the user is asked for credentials
IdP can be configured for different types of authentication: basic auth, Totp, MFA


  1. IdP sends SAML Assertion to SP

Once principal is authenticated, IdP sends back an XML message called SAML Assertion to SP’s Assertion Consumer Service URL.

This SAML Assertion contains principal details: name, email departments. - this can be confirmed on SP on what SP wish to request from IdP.


SAML Assertion is digitaly signed so the SP can trust the message is indeed from IdP and login the user into their system.


  1. SP creates session and login user

User is redirected back from IdP to SP. SP creates a session to keep user logged in.


——


Reference:


https://www.sheshbabu.com/posts/visual-explanation-of-saml-authentication/