Entities
Within the WS-Federation standard the following entities are defined:- Relying Party (RP)
The relying party is a resource (web application or service) which consumes security tokens issued by the Security Token Service. - Requestor
A requestor is a user who wants to access a resource (relying party). - Identity Provider (IDP)
An Identity Provider can act as an authentication service to a requestor (in this case it is also called “Requestor IDP” or “Home-Realm IDP”) as well as an authentication service to a service provider (also called “Relying Party IDP”). If a user tries to access a relying party within his own security domain, the “Requestor IDP” and the “RP-IDP” can be the same IDP instance. An IDP can also be seen as an Web-Frontend (Extension) of an STS. - Security Token Service (STS)
A Security Token Service is a web service that validates user credentials and issues security tokens which can include user attributes (also called claims). The security token can be used at the Relying Party to authenticate the requestor’s identity.
Passive Requestor Profile
The “Passive Requestor Protocol” of the WS-Federation standard deals with web-browser based access of a resource like a web portal or a web application.The following figure shows a standard scenario of a web application (Relying Party) which delegates the user authentication to an Identity Provider (IDP) according to the WS Federation standard. This way the web application does not need to implement multiple authentication styles for a user, as well as it allows interacting with users not known within the local security domain. Another benefit of delegating the authentication process is that the IDP can retain a session with the user, so that when a user accesses another web application and is redirected to the IDP again, the IDP does not need to request user credentials again und thus providing a SSO experience for the user.
The above figure shows a sequence diagram of a user (requestor) accessing a web application with his browser. Since the user was not authentication due to a recent session, the application redirects the user to the IDP for a user login (1). The IDP collects the credentials from the user and uses a Security Token Service (STS) to validate the credentials and also to get a SAML token from the STS (2). The STS itself is connected to a LDAP data store to validate the user credentials and also to retrieve additional information (claims) about the user, e.g. roles. On successful authentication (3) the IDP returns the SAML token issued by the STS (4) to the user and advices (auto-submitting form) the user to send this SAML token to the originally requested web application (5). The IDP takes care of providing a web user interface and handling URL redirects, whereas the STS is responsible for generating SAML Token and validating of user credentials. The web application validates the SAML token (6) and on success returns the desired web page (7).
The above sample was designed to show a simple use case scenario where the Requestor IDP is equal to the Relying Part IDP. In a more sophisticated scenario the Requestor IDP will not be equal to the Relying Party IDP. In addition to that there is also a Reverse Proxy added to the web application ensuring that the home realm discovery (also see section 2.3.3) is going to work correctly. The resulting access sequence can be seen in the following figure.
The user enters the public WebApp URL in his browser which leads him to the Reverse Proxy (0). The WebApp has no recent session with the user and therefore does not know the identity of the user. Thus the WebApp redirects the user to its Relying Party IDP (1). The Reverse Proxy detects the redirect to the RP-IDP and adds a home realm parameter for the user (1). This IDP uses this home realm parameter to perform the home realm discovery (3) and thus knowing at which IDP can be redirected to for being authenticated (4). The WS-Federation standard does not define how the home realm discovery should be performed. Multiple options are usually available:
- User Selection
A list of known and trusted IDPs is shown to the user. The user selects the IDP at which he wants to be authenticated and is then redirected to that IDP. - IP Discovery
The user will be redirected automatically to another IDP based on his IP address. - whr Parameter
The URL to invoke the RP-IDP contains an additional ‘whr’ parameter to define the IDP name on which the user wants to be redirected to for authentication. The ‘whr’ parameter must be known at the RP-IDP and must either be mapped to an URL or can also already be the URL of another IDP). The ‘whr’ parameter is usually set by a Reverse Proxy or was added (by the user or a provided link) in the URL when initially calling the web application. - Custom Discovery
Any custom logic can be added to the IDP to perform the home realm discovery. The standard is not limited to any predefined behaviour.
Great article. I have one question. This particular line is not much clear to me.
ReplyDelete"The Relying Party (the web application) validates the received SAML token by verifying that the issuer certificate of the SAML token is trusted."
Does not the webapp need to contact RP-IDP to verify the SAML token? Just signature validation is enough?
Thank you.
Yes, signature validation is sufficient!
DeleteHow would you validate the response from the IDP, if you would send the SAML Token to the IDP for validation? The response could be tampered if the response would not contain a valid signature. So at the end you will always need a signature. Therefore there would be no benefit for you even if the WS-Federation standard would include such a validation step. Hence this step does not exists.
Bhathiya, typically the signature is enough. Some implementations will also have the IdP encrypt the saml response and have the SP decrypt it. Or, with Artifact Binding the IdP and SP can communicate directly to do something similar as you describe in your question.
DeleteHi, how IDP knows for which user token need to generate?
ReplyDeleteThe IDP holds a session for each user (using cookies) after inital login.
Deleteperde modelleri
ReplyDeleteNUMARA ONAY
Türk telekom mobil ödeme bozdurma
Nft nasıl alınır
Ankara Evden Eve Nakliyat
Trafik sigortasi
dedektör
Websitesi Kurmak
Ask romanlari
smm panel
ReplyDeleteSmm panel
İs İlanlari Blog
instagram takipçi satın al
hirdavatciburada.com
www.beyazesyateknikservisi.com.tr
servis
TİKTOK HİLE
ataşehir beko klima servisi
ReplyDeletemaltepe vestel klima servisi
maltepe bosch klima servisi
kadıköy bosch klima servisi
tuzla vestel klima servisi
tuzla bosch klima servisi
tuzla arçelik klima servisi
çekmeköy samsung klima servisi
ataşehir samsung klima servisi