IDP Initiated Authentication Script

[nynymike]

It would be nice if oxAuth could act as a gateway for consolidating IDP-initiated authentication. The basic idea is that the Gluu Server would be the SP--i.e. the authentication is coming from an external organization's IDP. Gluu would consume the assertion, dynamically register the person if necessary, and then redirect the person as specified by the relay_state parameter.

It's unclear if this can be done within an interception script alone, or if we'd need to implement a new endpoint. Also, would the oxAuth publish SP metadata for this endpoint? This service should generate its own keys and certificates.

For testing, use a Shibboleth IDP, which support IDP initiated as the "internal IDP"

Sequence Diagram Source

Title IDP Initiated Authentication

Browser->Website 1: GET Website 1
Website 1->Browser: Redirect to internal IDP
Browser->Internal IDP: Login
Internal IDP->Browser:
Browser->Internal IDP: Request IDP initiated authn with relay_state=gluu_server_url
Browser->Gluu Server: Post SAML Assertion to Gluu Server SAML SP ACS
Gluu Server->Gluu Server: Validate SAML Assertion
Gluu Server->Gluu Server: Dynamic Enrollment if user doesn't exist
Gluu Server->Gluu Server: Create Gluu Server Session
Gluu Server->Gluu Server: Map Source IDP to Website 2
Gluu Server->Browser: Redirect to website 2 relay_state URL
Browser->Website 2: GET website 2 relay_state URL
Website 2->Gluu Server: Get user claims

[yurem]

There are 3 oxAuth questions regarding this diagram:

1. In all our existing workflows we create session on authorization request. As result we can't just send SAML Request to existing endpoints. We need new endpoint which will create session and start authentication workflow.
2. How oxAuth should know which acr_values should use?
3. In last step there process to get user claims. Which authorization flow should we use? Where and when we start it?

Also I think we have to communicate with Internal SP according to this diagram. These are steps 8 and 9.

[nynymike]

1. I agree... I was saying the same.
2. I think the acr would be static. There can only be one script to process IDP iniitated authn.
3. The IDP will send user claims in the assertion, which are used for dynamic enrollment. Post-enrollment, the interception script should redirect to the url speciifed in the relay_state. This application should be a normal OpenID Connect RP, and won't know anything about the IDP intitiated flow. It will send for authorization, but hopefully the user will already have a session in the browser.

[arvindsinghtomar]

@nynymike @yurem can you please explain what we are trying to achieve here?

[arvindsinghtomar]

I talked to @willow9886 regarding this issue.
As far I understand requirements we need to achieve similar functionality like the inbound-saml passport .I think instead of creating new script again we can use the passport for this.

[yurem]

We can implement next flow which uses Gluu-Passport:

title Inbound SAML

User->Browser: Click on page
Browser->IDP: Authenticate User
IDP->Passport: SAML2 POST AuthN
Passport->Passport: Validate request, check signature, etc...
Passport->oxAuth: AuthZ request with custom parameter(s) with user profile
oxAuth->Script: Invoce custom script "authenticate" method
Script->oxAuth: Validate userprofile and authenticated user by uid/e-mail
oxAuth->App: Send access_token

Here si plan:

1. Add new enpoint to trigger Inbound SAML flow,
2. RequestingPartyId -> OpenID client mapping. We need new json config file:

relayingPartyId_1: {oxAuth client details needed for AuthZ},
relayingPartyId_2: {oxAuth client details needed for AuthZ},
relayingPartyId_3: {oxAuth client details needed for AuthZ},

3. Prepare AuthZ request and send user profile as signed JWT via custom paramter (exmaple),
4. Write new custom script which trust user Profile (check JWT signature) which Passport send in AuthZ request,
5. Store Passport configuration in LDAP and add oxTrust GUI to change it.

We can finish all steps except 5 in 3.1.4ю

[jgomer2001]

I'm closing this, I think the recently added IDP-initiated capabilities to passport do the job.

[nynymike]

Are there docs on how to configure it in Gluu? I end up having to address this question several times a week.

[jgomer2001]

Not yet I think since it was recently introduced. Actually, it was solved for 3.1.5. It will be part of 3.1.5 docs