sp initiated saml sso authentication

Question

I am working on SP initiated saml sso and it is completely new to me. I have gone through lots of articles and videos(wikipedia, centrify chalktalk, medium posts) but i am not able to understand some of the things:

1. Is the saml assertion the SAML token? if not, then how is it generated?

2. Suppose i have a saml based IdP and two saml enabled SP. Now in a purely post binding, when i login to one of the SP and then login to the second SP, How does the second SP log me in? To be more precise, how does the second SP know that the user is already logged into first SP? What is that parameter(s) that decides it? (can i get more low level explanation on this). Does the IdP store data in cookie about the session or is there something else that i am missing out.

If there are any articles based on this please do post them.

Thank You.

Answer 1

Let me first answer your specific question points:

1) Is the saml assertion the SAML token? if not, then how is it generated?

-This is all just terminology for the same thing. A SAML Assertion and a SAML Token are the same thing. There are 2 different SAML assertions/tokens that are important for you to focus on. The SAML Request and the SAML Response. The SAML Request is what is sent from the SP to the IDP in SP initiated SAML SSO. The SAML Response is what is sent from the IDP to the SP as the final part of SP initiated or during IDP initiated SAML SSO. SP initiated is when the user starts at the SP app, is redirected to the IDP for authentication, and then sent back to the SP app by the IDP. IDP inititated is when the user starts at the IDP, and goes right to the SP. A SAML Assertion is just XML that has been signed, converted to a string and base 64 encoded. they are redirected with the user from SP to IDP and back.

2) Suppose i have a saml based IdP and two saml enabled SP. Now in a purely post binding, when i login to one of the SP and then login to the second SP, How does the second SP log me in? To be more precise, how does the second SP know that the user is already logged into first SP? What is that parameter(s) that decides it? (can i get more low level explanation on this). Does the IdP store data in cookie about the session or is there something else that i am missing out.

-This is specific to your IDP. As a Centrify SME, I can tell you how Centrify and similar IDPs work. When a user signs into the IDP, whether its from an SP initiated redirect, IWA on their corporate machine, or directly to the IDP itself, a cookie is added to the browser. In the case of Centrify, this cookie is called .ASPXAUTH. Every time a user is taken to the IDP after logging in, they are not prompted to log in again. So if a user starts at SP1, gets redirected to the IDP, logs in, and is redirected back, the cookie has been set by the IDP. Now if they go to SP2, by default that SP would also redirect to the IDP, but the IDP would not prompt for auth again because of the set cookie. So the user wouldn't notice the redirect and the IDP would just send them right back to SP2 with the appropriate SMAL response. So Like this:

SP1 > SAML Request and redirect to IDP > Log in to IDP and cookie is set> SAML Response and redirect back to SP1 > Navigate to SP 2 > SAML Request and redirect to IDP > Cookie is set so immediately redirect back to SP with SAML Response.

Centrify also has API's that can be used by SP's. For example, an SP could do a client side API call to /security/whoami to see if there is a valid ASPXAUTH cookie in place. So SP2 could check for a valid cookie and decide to to redirect at all because the cookie has already been set. https://developer.centrify.com/reference-link/securitywhoami

Hopefully this helps. I wrote a very basic example of this in c# while at Centrify. You can find the code here https://github.com/centrify/CentrifySAMLSDK_CS. Feel free to reach out here with more questions or find me on twitter https://twitter.com/NickCGamb

Answer 2

1. Yes, the Assertion is normally a fully portable token by itself, but there are ways to bind it to for example keys on the requester.

2. The second SP does now that the user is already signed in. The SP will redirect the user to the IDP with an authentication request to the IDP. IDP usually saves a cookie for the user when it authenticated the first time, this is not specified by SAML but generally how its done. When the user arrives at the IDP the IDP looks at the cookie and if the user authentication is still valid the IDP automatically sends a valid Assertion/token to the SP. It is possible for the SP to overide this behaviour by specifying the ForceAuthn attribute in the authentication request.

As for resources I would recommend the SAML Technical Overview from OASIS http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf