How to retrieve SAML assertion from SAML Response
341 views
Skip to first unread message
Alessandro Senatore
Jun 9, 2015, 4:05:43 AM6/9/15
to simple...@googlegroups.com
Hi all,
considering the following scenario
- IdP platform that expose authentication service via SAML 2.0
- Backend Service platform that expose APIs via Oauth2
- Web Application that play the role of Service Provider, that uses IdP service for user authentication and Backend Service Platform APIs for implementing business logic
In this scenario, IdP and Backend Service Platform are trusted and OAuth2 token is generated using SAMLBearer grant type by passing also the assertion included in the response.
The E2E flow works in this way
1) user hits a Web App URL
2) user is redirected to IdP (SP initiated flow)
3) user is authenticated on IdP and redirected to Web Application
4) web application retrieves SAML assertion from the SAML response
5) web application requests an OAuth2 token by using SAMLBearer as grant type and the assertion as value
6) Backend Service Platform checks the SAML Assertion (signature, encryption etc...) and generates the token
7) web application starts consuming APIs
We were able to succesfully implement the first three steps using simpleSAMLphp v1.13
However, there are no APIs available to get the assertion from the response (the
getAttributes can only be used to retrieve claims..)Any idea?
Thanks
Peter Schober
Jun 9, 2015, 5:21:51 AM6/9/15
to simple...@googlegroups.com
* Alessandro Senatore <alexse...@gmail.com> [2015-06-09 10:05]:
at the assertion. It might still be possible.
> 5) web application requests an OAuth2 token by using SAMLBearer as grant
> type and the assertion as value
> 6) Backend Service Platform checks the SAML Assertion (signature,
> encryption etc...) and generates the token
Two additional things to note:
It might be the SAML Repose that is signed, not the SAML Assertion, in
which case you couldn't perform signature validation somewhere else.
You should also take care not to violate any parts of the SAML spec as
to the passing around of assertions to parties other than the relying
party they were issued to.
-peter
> 4) web application retrieves SAML assertion from the SAML response
From the documentation it looks like SSP does not expose an API to get
at the assertion. It might still be possible.
> 5) web application requests an OAuth2 token by using SAMLBearer as grant
> type and the assertion as value
> 6) Backend Service Platform checks the SAML Assertion (signature,
> encryption etc...) and generates the token
It might be the SAML Repose that is signed, not the SAML Assertion, in
which case you couldn't perform signature validation somewhere else.
You should also take care not to violate any parts of the SAML spec as
to the passing around of assertions to parties other than the relying
party they were issued to.
-peter
Alessandro Senatore
Jun 9, 2015, 12:06:54 PM6/9/15
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter,
thanks for the reply.
It's indeed the SAML Response that is signed.
We were able to complete the E2E flow by adding a method in this file to retrieve the assertion
· simplesamlphp\modules\saml\www\sp\saml2-acs.php
I think it make sense to propose this as an enhancement, so that the same scenario can be supported out of the box.
Regards
Alessandro
Peter Schober
Jun 9, 2015, 12:28:15 PM6/9/15
to simple...@googlegroups.com
* Alessandro Senatore <alexse...@gmail.com> [2015-06-09 18:06]:
request with code and documentation (in this case "configuration" will
likely not be necessary). :)
-peter
> We were able to complete the E2E flow by adding a method in this file to
> retrieve the assertion
>
> · simplesamlphp\modules\saml\www\sp\saml2-acs.php
>
>
> I think it make sense to propose this as an enhancement, so that the same
> scenario can be supported out of the box.
Feel free to open an issue for that, esp if it's accompanied by a pull
> retrieve the assertion
>
> · simplesamlphp\modules\saml\www\sp\saml2-acs.php
>
>
> I think it make sense to propose this as an enhancement, so that the same
> scenario can be supported out of the box.
request with code and documentation (in this case "configuration" will
likely not be necessary). :)
-peter
Reply all
Reply to author
Forward
0 new messages