Total Pageviews

Wednesday, March 28, 2018

what is RelayState what it meant for during SAML SP request







 Along with a SAML Request, an HTTP parameter called RelayState is passed along to the Identity Provider SSO Access Manager. This captures the location of the resource the user originally requested. In simple it is Endpoint where user want to go after the Successful Authentication.


Endpoint https://sp.mysite.com:9031/sp/ACS.saml2

Web Policy Agent Traffic Flow






openam_agent_flow.png



Does SAML integration require PORT or FIREWAL Rules to be opened ?





SAML Traffic Flow

view of the SAML traffic flow is illustrated below:
saml.png

IPs / Ports / Firewall Rules

A question that frequently arises concerning the SAML architecture is which network ports and firewall rules do I need to open?”.  The answer should be readily evident from the diagram flow above.  Since there is no direct communication between the IDP and the Service Provider and all communication happens via the user’s browser (outbound ports: 80, 443, and 8443), therefore, no IPs/ports/firewall rules are necessary for your infrastructure vis-à-vis  Access Manager.  Your users, on the other hand, will need to be able to interface/reach  IdP as well as your application instance. .

How to Enable SAML at your application. Do i need to modify code or other options available ?






SAML Enabling Your Application

If your application is COTS or GOTS the first step would be to determine whether your application supports SAML or any other form of federation by checking the vendor documentation, contacting the vendor, or searching the web for SAML module support or integration.  If your application is “homegrown” software, then in order to SAML enable your application, you will need to search the web for a SAML toolkit or SAML libraries written in the same language as your software.  While many other options exist, some sample SAML code libraries are included below for your convenience:

Apache Server

A slightly less tightly integrated SAML alternative can also be implemented on some web servers such as Apache, rather than at the application level.  There is a module name "mod auth mellon" which enables SAML on Apache servers. It is also available in the RHEL 7 repositories.  The advantage of this Apache module is that it does not require any code modifications and at the same time it enables you to protect different locations/URLs using group membership as an LDAP attribute sent from  Identity Provider (IdP) / Access Manager.  

IIS Server
In order to SAML enable an IIS server, a third party module named "Shibboleth" can be used. Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

http://www.testshib.org

Generating Matadata for Integration.

If you are using the Apache mod auth mellon module then you will execute the “mellon_create_metadata.sh” to export your metadata.

If you are generating the metadata manually (ex. “homegrown” application) you may want to use the following site to generate your metadata: https://www.samltool.com/sp_metadata.php

Verifying Signature url
You can use below website to verify meta data signature.
https://www.samltool.com/sign_authn.php