CODEWITHSUNDEEP
wso2samlsaml-2.0wso2-identity-server
Kurent
Kurent

Reputation: 99

WSO2 Identity server - Restricting access to SSO service

My understanding of SAML and WSO2 is very basic so sorry in advance. I'm wondering if access to a SSO service can be restricted to a subset of users?

Upvotes: 2

Views: 668

Answers (2)

Josef Bureš
Josef Bureš

Reputation: 125

I think that according the SAML specification, Identity provider can return error state. It has an element in SAMLResponse dedicated to this -> Status. But WSO2 Identity Server (up to 5.0.0), as far as I know, doesn't automatically support this behavior. One should change WSO2 authorization code to achieve this behavior...

Source: SAML 2.0 Overview - line 1131, chapter: 3.2.2.2 Element 

<samlp:Response
...<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
**Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>**
</samlp:Status>
<saml:Assertion  ...

Instead of Success IdP can return: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed or similar... see: SAML2.0 handling SSO error

Upvotes: 0

SureshAtt
SureshAtt

Reputation: 1951

Yes you can restrict the access to a SAML SSO Service Provider to a subset of users. This is an authorization requirement indeed. When the service provider redirects the user to the Identity Provider (in this case to the WSO2 Identity Server), the service provider can request claims about the user from the Identity Server (claims such as Role, Email, Age, Country etc). Then after successful authentication of the user at the Identity Provider, the Identity Provider will send those claim values to the SSO Service Provider along with the SAML Response message. The SSO Service provider can read these claims and can decide if should let the user access the service or not. (For example by looking at the Role claim, if use has a particular role then SSO Service Provider allows the user, if not refuse)

Upvotes: 3

Related Questions