SAML - ashishranjandev/developer-wiki GitHub Wiki

sequenceDiagram
    participant User
    participant SP
    participant IdP

    User->>SP: Requests protected resource
    activate SP
    SP->>User: Redirects to IdP with AuthnRequest
    note right of SP: AuthnRequest (Signed)<br>Example (Simplified):<br>`<AuthnRequest ...><br><Signature>...</Signature><br></AuthnRequest><br>`
    User->>IdP: User's Browser forwards AuthnRequest
    activate IdP
    IdP->>User: Authentication prompt (e.g., login form)
    User->>IdP: User submits credentials
    alt Successful Authentication
        IdP->>IdP: Creates SAML Assertion
        note right of IdP: Assertion (Example - Simplified):<br>`<Assertion ...><br><Subject><br><NameID>user123</NameID><br></Subject><br><AttributeStatement><br><Attribute Name="email"><br><AttributeValue>[email protected]</AttributeValue><br></Attribute><br></AttributeStatement><br><Signature>...</Signature><br></Assertion><br>`
        IdP->>IdP: Encrypts SAML Assertion with SP's public key
        note right of IdP: Encrypted Assertion (Simplified):<br>`<EncryptedData ...><br><CipherData><br><CipherValue>...</CipherValue></CipherData><br></EncryptedData>`
        IdP->>IdP: Creates SAML Response
        note right of IdP: Response (Signed, contains encrypted Assertion) (Simplified):<br>`<Response ...><br><EncryptedAssertion>...</EncryptedAssertion><br><Signature>...</Signature><br></Response>`
        IdP->>User: Redirects to SP with SAML Response (via HTTP POST)
        User->>SP: User's Browser forwards SAML Response
        SP->>SP: Validates IdP's signature on the Response
        alt Signature Valid
            SP->>SP: Decrypts SAML Assertion with SP's private key
            SP->>SP: Extracts user attributes from the Assertion
            note right of SP: Decrypted Assertion (Same as original Assertion)
            SP->>User: Grants access to the protected resource
        else Signature Invalid
            SP->>User: Displays error message (Invalid SAML Response)
        end
    else Authentication Failed
        IdP->>User: Displays authentication error
    end
    deactivate IdP
    deactivate SP
Loading

Let's break down the SAML workflow step by step, focusing on how encryption enhances its security.

Actors:

  • Principal (User): The individual trying to access a service.
  • Service Provider (SP): The application or service the user wants to access (your SaaS product).
  • Identity Provider (IdP): The system that manages user identities and authenticates users (e.g., Okta, Azure AD, OneLogin).

Basic SAML Workflow (Without Encryption):

  1. User Requests Access: The user tries to access a protected resource on the SP.
  2. SP Sends Authentication Request (AuthnRequest): The SP redirects the user's browser to the IdP with a SAML Authentication Request. This request contains information like the SP's Entity ID and where the IdP should send the response.
  3. User Authentication at IdP: The user is prompted to authenticate at the IdP (e.g., by entering their username and password).
  4. IdP Creates SAML Assertion: Upon successful authentication, the IdP creates a SAML Assertion, an XML document that contains statements about the user's identity (e.g., name, email, roles).
  5. IdP Sends SAML Response: The IdP sends a SAML Response containing the Assertion back to the SP. This is usually done via an HTTP POST request to a pre-configured Assertion Consumer Service (ACS) URL on the SP.
  6. SP Validates Assertion: The SP receives the SAML Response, validates the signature of the Assertion (to ensure it came from the trusted IdP), and extracts the user's information.
  7. User Access Granted: If the validation is successful, the SP grants the user access to the requested resource.

SAML Workflow with Encryption and Signing (Enhanced Security):

Here's how encryption and signing improve the security of this process:

  1. User Requests Access: (Same as before)
  2. SP Sends Signed AuthnRequest: The SP digitally signs the AuthnRequest using its private key. This ensures the request's integrity and authenticity (that it originated from the legitimate SP).
  3. User Authentication at IdP: (Same as before)
  4. IdP Creates Encrypted and Signed SAML Assertion:
    • The IdP encrypts the SAML Assertion using the SP's public key. This ensures confidentiality; only the SP can decrypt the assertion.
    • The IdP digitally signs the SAML Response (which contains the encrypted Assertion) using its private key. This ensures the response's integrity and authenticity.
  5. IdP Sends SAML Response: (Same as before)
  6. SP Validates Signature and Decrypts Assertion:
    • The SP first verifies the signature of the SAML Response using the IdP's public key. This confirms that the response came from the trusted IdP and hasn't been tampered with.
    • The SP then decrypts the SAML Assertion using its private key. Now the SP can access the user's information.
  7. User Access Granted: (Same as before)

Key Security Enhancements:

  • Digital Signatures (using Public/Private Key Pairs):
    • Authentication: Verifies the origin of the message (AuthnRequest or SAML Response). The SP can be sure the response came from the expected IdP, and the IdP can be sure the request came from the expected SP.
    • Integrity: Ensures that the message hasn't been tampered with during transmission. Any modification to the signed message would invalidate the signature.
  • Encryption (using Public/Private Key Pairs):
    • Confidentiality: Protects the sensitive information contained in the SAML Assertion (user attributes) from being read by unauthorized parties during transmission. Only the intended recipient (the SP) can decrypt the message using its private key.

Key Exchange:

The public keys of the SP and IdP are exchanged beforehand, usually through metadata exchange. This metadata is typically an XML document that contains information about the entity (SP or IdP), including its public key.

Summary Table:

Security Feature Purpose How it Works
Digital Signature Authentication and Integrity Uses the sender's private key to create a signature. The recipient uses the sender's public key to verify the signature.
Encryption Confidentiality Uses the recipient's public key to encrypt the message. The recipient uses their private key to decrypt it.
Metadata Exchange Key Exchange, Endpoint Information Sharing XML document shared between SP and IdP containing information such as entity IDs, SSO URLs, certificates (containing public keys), etc.

By using both digital signatures and encryption, SAML provides a robust and secure framework for Single Sign-On, ensuring authentication, integrity, and confidentiality of user data. Remember to use established SAML libraries and follow security best practices when implementing SAML integrations.

⚠️ **GitHub.com Fallback** ⚠️