New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IDP Initiated Authentication Script #267

Closed
nynymike opened this Issue Jul 27, 2016 · 8 comments

Comments

Projects
None yet
5 participants
@nynymike
Contributor

nynymike commented Jul 27, 2016

image

It would be nice if oxAuth could act as a gateway for consolidating IDP-initiated authentication. The basic idea is that the Gluu Server would be the SP--i.e. the authentication is coming from an external organization's IDP. Gluu would consume the assertion, dynamically register the person if necessary, and then redirect the person as specified by the relay_state parameter.

It's unclear if this can be done within an interception script alone, or if we'd need to implement a new endpoint. Also, would the oxAuth publish SP metadata for this endpoint? This service should generate its own keys and certificates.

For testing, use a Shibboleth IDP, which support IDP initiated as the "internal IDP"

Sequence Diagram Source

Title IDP Initiated Authentication

Browser->Website 1: GET Website 1
Website 1->Browser: Redirect to internal IDP
Browser->Internal IDP: Login
Internal IDP->Browser:
Browser->Internal IDP: Request IDP initiated authn with relay_state=gluu_server_url
Browser->Gluu Server: Post SAML Assertion to Gluu Server SAML SP ACS
Gluu Server->Gluu Server: Validate SAML Assertion
Gluu Server->Gluu Server: Dynamic Enrollment if user doesn't exist
Gluu Server->Gluu Server: Create Gluu Server Session
Gluu Server->Gluu Server: Map Source IDP to Website 2
Gluu Server->Browser: Redirect to website 2 relay_state URL
Browser->Website 2: GET website 2 relay_state URL
Website 2->Gluu Server: Get user claims

@nynymike nynymike added this to the CE 2.4.5 milestone Jul 27, 2016

@yurem

This comment has been minimized.

Contributor

yurem commented Jul 28, 2016

There are 3 oxAuth questions regarding this diagram:

  1. In all our existing workflows we create session on authorization request. As result we can't just send SAML Request to existing endpoints. We need new endpoint which will create session and start authentication workflow.
  2. How oxAuth should know which acr_values should use?
  3. In last step there process to get user claims. Which authorization flow should we use? Where and when we start it?

Also I think we have to communicate with Internal SP according to this diagram. These are steps 8 and 9.

@nynymike

This comment has been minimized.

Contributor

nynymike commented Jul 29, 2016

  1. I agree... I was saying the same.
  2. I think the acr would be static. There can only be one script to process IDP iniitated authn.
  3. The IDP will send user claims in the assertion, which are used for dynamic enrollment. Post-enrollment, the interception script should redirect to the url speciifed in the relay_state. This application should be a normal OpenID Connect RP, and won't know anything about the IDP intitiated flow. It will send for authorization, but hopefully the user will already have a session in the browser.

@nynymike nynymike modified the milestones: CE 3.1.0, CE 3.0.0 Nov 29, 2016

@nynymike nynymike assigned dmogn and unassigned arvindsinghtomar Apr 7, 2017

@nynymike nynymike modified the milestones: CE 3.2.0, CE 3.1.0 Jun 26, 2017

@nynymike nynymike assigned arvindsinghtomar and unassigned dmogn Dec 19, 2017

@arvindsinghtomar

This comment has been minimized.

Contributor

arvindsinghtomar commented Dec 20, 2017

@nynymike @yurem can you please explain what we are trying to achieve here?

@arvindsinghtomar

This comment has been minimized.

Contributor

arvindsinghtomar commented Dec 20, 2017

I talked to @willow9886 regarding this issue.
As far I understand requirements we need to achieve similar functionality like the inbound-saml passport .I think instead of creating new script again we can use the passport for this.

@nynymike nynymike assigned dmogn and unassigned arvindsinghtomar Dec 21, 2017

@yurem

This comment has been minimized.

Contributor

yurem commented May 8, 2018

We can implement next flow which uses Gluu-Passport:
inbound saml

title Inbound SAML

User->Browser: Click on page
Browser->IDP: Authenticate User
IDP->Passport: SAML2 POST AuthN
Passport->Passport: Validate request, check signature, etc...
Passport->oxAuth: AuthZ request with custom parameter(s) with user profile
oxAuth->Script: Invoce custom script "authenticate" method
Script->oxAuth: Validate userprofile and authenticated user by uid/e-mail
oxAuth->App: Send access_token

Here si plan:

  1. Add new enpoint to trigger Inbound SAML flow,
  2. RequestingPartyId -> OpenID client mapping. We need new json config file:
relayingPartyId_1: {oxAuth client details needed for AuthZ},
relayingPartyId_2: {oxAuth client details needed for AuthZ},
relayingPartyId_3: {oxAuth client details needed for AuthZ},
  1. Prepare AuthZ request and send user profile as signed JWT via custom paramter (exmaple),
  2. Write new custom script which trust user Profile (check JWT signature) which Passport send in AuthZ request,
  3. Store Passport configuration in LDAP and add oxTrust GUI to change it.

We can finish all steps except 5 in 3.1.4ю

@yurem yurem unassigned dmogn May 8, 2018

@jgomer2001

This comment has been minimized.

Contributor

jgomer2001 commented Nov 16, 2018

I'm closing this, I think the recently added IDP-initiated capabilities to passport do the job.

@jgomer2001 jgomer2001 closed this Nov 16, 2018

@nynymike

This comment has been minimized.

Contributor

nynymike commented Nov 17, 2018

Are there docs on how to configure it in Gluu? I end up having to address this question several times a week.

@jgomer2001

This comment has been minimized.

Contributor

jgomer2001 commented Nov 17, 2018

Not yet I think since it was recently introduced. Actually, it was solved for 3.1.5. It will be part of 3.1.5 docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment