Hi There,
I am implementing SSO for the first time. I’ve read through the following article on how the SSO works using SAML 2.0: https://en.wikipedia.org/wiki/SAML_2.0
So as per my understanding of SSO with SAML 2.0, one of the ways it can be implemented is following:
1. User browses a Website (Service Provide or SP), and user is not logged in at the moment. So, from here user needs to be sent to Identity Provider, which can be automatic or user can select from list of Identity Providers that are available for that Service provider.
2. Once user is logged in, they will be redirected to identity provider with samlp:AuthnRequest element in the Redirect URL or as POST Request and it is submitted to the Identity Provider through the Web Browser.
3. When this request reaches IdP via Browser, it is verified if the user is logged in or not, which can be any form of authentication.
4. Once the user is logged in, a samlp:Response element is generated, which is passed through Browser as POST Request, and the Web Browser will call the Method that will Consume this element. Once it is verified, the user will be redirected to the resource they requested.
So my questions is, how will this be implemented with Component space? Is there a guide I can follow? I went through the Developer guide but I got lost in that. And if I want to sign and encrypt the Request and Response elements, how do I do that?
Thanks,
Ginder
Hi Ginder
Is your site the identity provider or service provider?
I suggest taking a look at section 10.1 of our Developer Guide PDF. This describes the ExampleIdentityProvider and ExampleServiceProvider projects that are found under the Examples\SSO\HighLevelAPI\WebForms folder. There are also example projects that use MVC and OWIN.
The flow you described above is referred to as SP-initiated SSO as the user starts at the SP site and a SAML authn request is sent to the IdP site.
The other SSO flow is IdP-initiated SSO where the user starts at the IdP site.
For both flows, once the user is authenticated at the IdP site, the IdP sends a SAML response to the SP.
The SAML response contains a SAML assertion.
The SAML assertion includes a name identifier (NameID) and optional SAML attributes.
The SP then automatically authenticates the user using this information from the SAML assertion.
The ExampleIdentityProvider and ExampleServiceProvider demonstrate IdP-initiated and SP-initiated SSO.
The details of the HTTP-binding (ie transport), protocol, message formats, security etc are all handled by of API.
If you’re the IdP, for IdP-initiated SSO you simply call SAMLIdentityProvider.InitiateSSO.
For SP-initiated SSO, you call SAMLIdentityProvider.ReceiveSSO and SAMLIdentityProvider.SendSSO.
If you’re the SP, for SP-initiated SSO you simply call SAMLServiceProvider.InitiateSSO.
For IdP-initiated and SP-initiated SSO, you call SAMLServiceProvider.ReceiveSSO.
These APIs are documented in our Developer Guide and Reference Guide.
The SAML high-level API is configuration driven.
This means you have to write less code and most changes (eg new partner providers etc) can be accommodated simply by updating the SAML configuration.
You’ll see the ExampleIdentityProvider and ExampleServiceProvider include saml.config files.
Your application will need a similar SAML configuration but specific to your provider and the partner provider(s).
I hope that helps you get started.
Regarding your question about signing and encrypting, these are specified through SAML configuration.
You’ll see flags for these in the ExampleIdentityProvider and ExampleServiceProvider saml.config files.
You’re always welcome to contact us at support@componentspace.com if you have specific questions or need assistance with configuration etc that you’d prefer not to include on the forum.