ComponentSpace

Forums



Authorization Claims?


Authorization Claims?

Author
Message
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
I've been using Saml2 for a while for strictly SP-based Authentication with great success, for an app that handled all issues of authorization within the app itself.  Now I have a client that wants to use Saml-based SSO for their app, where the IdP will be an ADFS backend, and they want to use their AD group membership for authorization, so the app has no knowledge of, or need, for authorization or any built in users.

Does this mean that the assertion should or should not reflect this group membership?  Should the assertion simply fail to return any claims if the authenticating users does not have the necessary group membership, causing the authentication request to fail on the SP side?  Or can/should that group membership in question be sent back as a claim in the assertion, interpreted by the SP and dealt with there?  It seems like both options should be possible, but I don't see any discussion here about the available or preferable options for dealing with authorization specifically.

Thanks for any insight.


Jeff
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Hi Jeff,

There is no single right answer to this and it really comes down to the business requirements. The most common approach is for the identity provider to send the role or group membership information as a SAML attribute in the SAML assertion. This would then be used by the service provider when making authorization decisions.

For ADFS, a claim rule would map the user's group membership to a SAML attribute. Your SP application is then free to use this information however makes sense for you.

Regards
ComponentSpace Development
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
ComponentSpace - 6/17/2020
Hi Jeff,

There is no single right answer to this and it really comes down to the business requirements. The most common approach is for the identity provider to send the role or group membership information as a SAML attribute in the SAML assertion. This would then be used by the service provider when making authorization decisions.

For ADFS, a claim rule would map the user's group membership to a SAML attribute. Your SP application is then free to use this information however makes sense for you.

Thank you for the reply - can you point me toward an example of this?  I must be searching using the wrong terms, because I haven't seen anything in the docs or example projects, even though sending attibutes with AD claims like this seems very normal.  I think I'm just using the wrong terminology.

Jeff
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
We don't have any specific examples of handling a group membership SAML attribute. Normally the authentication/authorization through SAML SSO is mapped by the SP into its existing model.

How do you currently handle authorization for users who login rather than using SAML SSO?

Can you map the group membership SAML attribute into your existing authorization model when the user SSOs?

Regards
ComponentSpace Development
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
ComponentSpace - 6/17/2020
We don't have any specific examples of handling a group membership SAML attribute. Normally the authentication/authorization through SAML SSO is mapped by the SP into its existing model.

How do you currently handle authorization for users who login rather than using SAML SSO?

Can you map the group membership SAML attribute into your existing authorization model when the user SSOs?

The app is currently internal-only and has no authentication.  We are looking to overlay the cleanest, simplest SSO solution possible, with the fewest number of changes.  If the lack of group AD membership will just make the SSO assertion fail, that is simple.  If not, then I'll add the Group membership attribute to the assertion and deal with it on the app side, but it would be nice to have an example of what that will look like in the assertion and how to grab that value.  


Jeff
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Hi Jeff,

We don't perform any checks for specific SAML attributes etc expected by the application. Our API handles the SAML SSO protocol and returns the SAML subject/NameID and SAML attributes to the application to use as required. If the AD group membership isn't included as a SAML attribute in the SAML assertion, this doesn't fail the SSO. However, if your application requires this particular SAML attribute and it's missing, your application can handle this in the appropriate manner.

The AD group membership will be returned as a SAML attribute. The name of this attribute will be dependent on how the claim rule is configured in ADFS.

The following code demonstrates calling SAMLServiceProvider.ReceiveSSO to receive and process the SAML response which includes the SAML assertion.

It also includes some code demonstrating one way to check for a group membership attribute and then if the user belongs to a specific group.  


// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
bool isInResponseTo;
string partnerName;
string authnContext;
string userName;
SAMLAttribute[] attributes;
string relayState;

SAMLServiceProvider.ReceiveSSO(
  Request,
  out isInResponseTo,
  out partnerName,
  out authnContext,
  out userName,
  out attributes,
  out relayState);


var samlAttribute = attributes.SingleOrDefault(a => a.Name == "GroupMembership");

if (samlAttribute != null)
{
  // Check for a particluar group
  var samlAttributeValue = samlAttribute.Values.SingleOrDefault(a => a.Data.ToString() == "MyGroup");

  if (samlAttributeValue != null)
  {
   // Handle belonging to this group.
  }
  else
  {
   // Handle not belonging to this group.
  }
}
else
{
  // Handle missing group membership information.
}




Regards
ComponentSpace Development
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
ComponentSpace - 6/17/2020
Hi Jeff,

We don't perform any checks for specific SAML attributes etc expected by the application. Our API handles the SAML SSO protocol and returns the SAML subject/NameID and SAML attributes to the application to use as required. If the AD group membership isn't included as a SAML attribute in the SAML assertion, this doesn't fail the SSO. However, if your application requires this particular SAML attribute and it's missing, your application can handle this in the appropriate manner.

The AD group membership will be returned as a SAML attribute. The name of this attribute will be dependent on how the claim rule is configured in ADFS.

The following code demonstrates calling SAMLServiceProvider.ReceiveSSO to receive and process the SAML response which includes the SAML assertion.

It also includes some code demonstrating one way to check for a group membership attribute and then if the user belongs to a specific group.  


// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
bool isInResponseTo;
string partnerName;
string authnContext;
string userName;
SAMLAttribute[] attributes;
string relayState;

SAMLServiceProvider.ReceiveSSO(
  Request,
  out isInResponseTo,
  out partnerName,
  out authnContext,
  out userName,
  out attributes,
  out relayState);


var samlAttribute = attributes.SingleOrDefault(a => a.Name == "GroupMembership");

if (samlAttribute != null)
{
  // Check for a particluar group
  var samlAttributeValue = samlAttribute.Values.SingleOrDefault(a => a.Data.ToString() == "MyGroup");

  if (samlAttributeValue != null)
  {
   // Handle belonging to this group.
  }
  else
  {
   // Handle not belonging to this group.
  }
}
else
{
  // Handle missing group membership information.
}



Thank you very much, this will give me a good start.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search