stackoom
  简体   繁体   中英

How to maintain state parameter in Identity Provider (IdP) initiated SAML sso?

 原文  2017-05-09 04:45:50       single-sign-on/ omniauth/ saml/ saml-2.0/ auth0

Question

I started with Service Provider based SSO for SAML. Since the user had to enter his email before proceeding with the login, a state variable was initiated and passed on to the SSO. It comes back through the callback URL and hence was check again for the sanity purpose. It protected against CSRF attacks.

Now IdP initiated SSO doesn't allow me to set state variable at all. Login starts at Identity Provider and only an auth token is provided to the app. I do not know which user is authenticating from the beginning. If I remove the state variable check, it could trigger a CSRF attack as well.

I am also using omniauth in rails which makes state variable a compulsory param and SSO provider is auth0 .

What is the way to attach state variable to IdP initiated SSO solutions?

1 answers

solution1
 4 ACCPTED  2017-05-17 08:14:23

The de-facto standard value of the RelayState parameter in IDP-init-SSO SAML flows is the URL that you want to send the user to after successful validation of the SAML assertion at the SP. That would work for the vast majority of SAML deployments out there.

However, that mechanism indeed does not protect against CSRF attacks this is why the spec is silent on the value of RelayState in IDP-init-SSO and leaves it open to agree on mechanisms between IDP and SP to prevent CSRF through the value of that parameter. One such mechanism would be to use a signed value in the RelayState but as said, nothing is standardized and it would thus depend on a bi-lateral agreement between IDP and SP which does not scale.

In summary: send the value of the URL that you want the user to go to as the RelayState value in the "unsolicited" SAML Response that you send to the SP. How you get the IDP's SAML stack to do that is implementation specific. For Auth0 you can read on this at: https://auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso , and in your case it would look like: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to Configure openam as Identity provider(IdP) to test SAML based SSO WIF SAML 2.0 CTP Identity Provider Initiated SSO How to prevent replay attack in IDP initiated SSO using SAML2 How to process SAML from idp initiated SSO using PHP? SAML reponse difference between SP initiated SSO and IDP initiated SSO IDP initiated SSO for Spring SAML Extension SAML SSO Unsure how a user gets to the protected SP page for IDP initiated SAML IdP-Initiated Web SSO Profile using JAVA and SAML 2.0 Clarification about “WAS supports IdP initiated SAML web SSO only” Hard time with SAML and Identity Provider (IdP)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM