Returning an Access Denied message
140 views
Skip to first unread message
Peter Falson
Sep 15, 2016, 2:31:25 PM9/15/16
to SimpleSAMLphp
I control an IDP and a couple of our SPs have fixed accounts such that they display some sort of denied or failed message if the UID provided in the login assertion doesn't pre-exit. I'm hoping to sway them to return a response back to me so that I can control the user experience of a denial of service. Wondering if there's a specific type of message I can suggest they send back. I was thinking something like:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b70e518f5a5ee08c9597700674427c8eea6b78ae43" Version="2.0" IssueInstant="2016-07-07T18:59:33Z" InResponseTo="_7ba485d07a784d3da24bf0aaf1124c0d700263b3b8">
<saml:Issuer>entity id</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
</samlp:Status>
</samlp:Response>
Is this an accepted part of the saml spec/ideology?
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b70e518f5a5ee08c9597700674427c8eea6b78ae43" Version="2.0" IssueInstant="2016-07-07T18:59:33Z" InResponseTo="_7ba485d07a784d3da24bf0aaf1124c0d700263b3b8">
<saml:Issuer>entity id</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
</samlp:Status>
</samlp:Response>
Is this an accepted part of the saml spec/ideology?
Jaime Perez Crespo
Sep 16, 2016, 4:33:48 AM9/16/16
to simple...@googlegroups.com
Hi Peter,
SAML is not an ideology, it’s a specific set of messages and bindings used in profiles, which are basically what you would call a protocol. Obviously, you can’t modify how the protocol works, and the protocol does not contemplate any use case like the one you are depicting.
Now, SAML responses are always sent in response to a SAML request (with some exceptions, like IdP-initiated authentication, when an IdP sends a SAML response to an SP without a previous request). What you are suggesting is sending a SAML response in response to another SAML response, which is not supported.
You have two ways forward, and none of them implies getting back control at your IdP during authentication:
- One option is to do automatic provisioning to those problematic SPs. You can just have a cron job every night or something like that, going through the list of users in your IdP, and telling the SPs: “here’s the list of my users, please create accounts for those users missing in your system”. Of course, the SP must have some mechanism to allow for this.
- The other option is what most SPs do: dynamic provisioning, meaning when a SAML response with an assertion arrives at the SP and the user is unknown because there’s no associated local account, the SP will just create the account on the fly, instead of showing an error.
In any case, as you can see the SP needs to deal with the problem somehow, and you definitely can’t modify the SAML protocol to your will.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Now, SAML responses are always sent in response to a SAML request (with some exceptions, like IdP-initiated authentication, when an IdP sends a SAML response to an SP without a previous request). What you are suggesting is sending a SAML response in response to another SAML response, which is not supported.
You have two ways forward, and none of them implies getting back control at your IdP during authentication:
- One option is to do automatic provisioning to those problematic SPs. You can just have a cron job every night or something like that, going through the list of users in your IdP, and telling the SPs: “here’s the list of my users, please create accounts for those users missing in your system”. Of course, the SP must have some mechanism to allow for this.
- The other option is what most SPs do: dynamic provisioning, meaning when a SAML response with an assertion arrives at the SP and the user is unknown because there’s no associated local account, the SP will just create the account on the fly, instead of showing an error.
In any case, as you can see the SP needs to deal with the problem somehow, and you definitely can’t modify the SAML protocol to your will.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter Falson
Sep 20, 2016, 1:53:42 PM9/20/16
to SimpleSAMLphp
Thanks for your detailed response. I find it interesting there's no such message/feature. I can see that perhaps this scenario is breaking/bending the rules of SAML (the situation is not a matter of the accounts not being there but that they have been pre-determined and there is to be no allowance for automatic account creation). I did some research and found another developer having a similar situation.
However, I don't quite agree with your assertion that I'm sending a response and expecting a response. I'm sending a login request and wanting a request denied response for this situation.
However, I don't quite agree with your assertion that I'm sending a response and expecting a response. I'm sending a login request and wanting a request denied response for this situation.
Reply all
Reply to author
Forward
0 new messages