Introduction to SAML - Digital-Platform-Services/My-NS-Account GitHub Wiki

Home

Security Assertion Markup Language (SAML) is an XML-based framework for authentication and authorization between two entities: an RP and IdP. The RP agrees to trust the IdP to authenticate users. In return, the IdP generates an authentication assertion, which indicates that a user has been authenticated.

SAML is a standard single sign-on (SSO) format. Authentication information is exchanged through digitally signed XML documents, enabling seamless authentication.

In addition, My NS Account utilizes HTTP Redirect binding and SAML SOAP Binding.

Message signing

SAML message signing is a process of adding digital signatures to SAML messages to ensure their integrity and authenticity. Digital signatures are based on public-key cryptography, which means that each party has a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret.

SAML message signing works as follows:

  • The RP sends a SAML request to the IdP, asking for authentication information about the user. The RP signs the request with its private key and attaches the signature to the request.
  • The IdP receives the request and verifies the signature using the RP's public key. If the signature is valid, the IdP authenticates the user and creates a SAML response that contains the user's identity and authorization level. The IdP signs the response with its private key and attaches the signature to the response.
  • The IdP sends the response back to the SP. The SP receives the response and verifies the signature using the IdP's public key. If the signature is valid, the SP grants access to the user based on the information in the response.

SAML message signing ensures that:

  • The messages are not tampered with during transmission
  • The messages are sent by the legitimate parties
  • The messages are not replayed by malicious actors

Message encryption

SAML message encryption is a way to protect the confidentiality and integrity of SAML messages between an identity provider (IdP) and a service provider (SP). Just like SAML message signing, message encryption also uses public key cryptography, which means that each party has a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret.

The benefit of encryption is that it prevents unauthorized parties from reading or modifying the SAML messages, even if they intercept them during transmission. This enhances the security and privacy of the user and the service provider.

SAML encryption can be applied to two parts of a SAML message: the assertion and the entire message. The assertion contains the identity and authorization information of the user, while the message contains the assertion and other metadata.

To encrypt the assertion, the RP uses the IdP's public key to encrypt the data, and the IdP uses its private key to decrypt it. To encrypt the entire message, the IdP uses the SP's public key to encrypt the data, and the SP uses its private key to decrypt it.

Certificates Issuer for RPs

For security reasons, we allow only certificates that are issued internally.

Supports both Internal and Trusted Issuers Note: When registering RP with non-internal certs, cross-sign those RP metadata certs using internal certs and update the new RP metadata on IDP portal. This has no changes on the RP side, as the same private key and public key will work on the RP side.