Reputation: 345
Custom Authentication After Saml Response From IdP
A little background on our environment:
- Service Stack SP with CustomAuthProvider
- Angular 6 Front-End
- Corporate Federation IdP
A user can authenticate with us by clicking a button which then our SP will redirect them to the IdP. Once they have authenticated with the IdP, it will send us back a response via HTTP-POST to our ACS.
From there how do we authenticate the user through us? Are we supposed to send the redirect back to the browser, which then our login page will make a normal /auth/credentials request? Our /auth/credentials route takes username and password and we do not have that from a SAML response. This part is very confusing to me, and any help would be greatly appreciated!
Upvotes: 1
Views: 557
Answers (1)
Reputation: 4620
Your app doesn't authenticate, the IdP authenticates. Your app authorises. The IdP will likely respond via a redirect to your ACS (for SAML2) with an Assertion containing Attributes. You could ask the IdP to return, for example, eduPersonEntitlement with a value of perhaps:
https://yourapp.com/access
and if this attribute is present in the assertion then you can consider the user authenticated and authorised so just create them a session etc.
If your app has fine grained access control you can get the IdP to release the attribute with different values based on who the user is, i.e. what the IdP knows about their account (LDAP OU for example) to get finer grained authorisation:
http://yourapp.com/access/private/staff
Your app should never see their credentials as those are for the IdP. All your app cares about is the SAML Assertion containing the Attributes that arrives at your ACS after the user has given their credentials to the IdP for authentication.
If you need to provide personalisation services for the user, such as application settings or look and feel etc, this is normally done using either NameID or eduPersonTagetedID. They are essentially opaque identifiers that will arrive in the Assertion for that user. Whenever the user 'logs in' (at the IdP) your app will get the same value of NameID or eduPersonTagetedID. If you need more information such as their name or email address, you can ask the IdP to release those too, subject to data privacy laws. Your app should never need to authenticate the user as that's what the IdP does. Your app just needs to authorise access and create a profile for them using the attributes the IdP has released.
Upvotes: 2
Related Questions
- SAML auth in Nativescript
- How to add Saml Authentication to asp.net Web API application
- SAML2 - Login user from IdP initiated request
- Identityserver4 with ComponentSpace SAML 2 get custom parameters during request
- SAML enabling a web/mobile application
- SAML redirects each SP request to IDP for checking authentication after successful IDP authentication?
- Generating SAML request and Extracting SAML token from response in web browser
- How to use SAML authentication in a mobile application?
- How to authenticate in servicestack using angular spa basic authentication
- Skip IDP authentication in SAML