跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(78) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) ChatGPT(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) RAG(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 智能体(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) kafka(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) RAG架构(3) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

Source: PixBay

SAML protocol continues to be one of the most used authentication protocols even after almost two decades since the initial release. Although now, some big players in the industry have started to transition to the latest Oauth2 and OpenID Connect. SAML 2.0 still remains the de facto standard for enterprise single sign-on.

SAML 1.0 was adopted as an OASIS standard in November 2002 followed by SAML 1.1 in September 2003 and SAML 2.0 in March 2005 . SAML 2.0 remains adopted industry-wide even today.

At some point in time, every organization needs to protect its services and resources from public access. The way to do it is using Single sign-on service which puts a layer of authentication in front of services by integrating with an Identity Provider. Too many new words?

What is Single Sign-on?

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.

Means you can sign-in once into your google account (or some other) and use the same account in multiple different services which are not owned by Google, without entering username and password again. Here the services put their trust in the authentication system provided by Google.

What is an Identity Provider (IDP)?

Identity provider offers user authentication as a service. In simple words, you can add and manage your user accounts, groups in an Identity Provider which gives you a way to authenticate your users while accessing any of your services.

So how does it happen?

Some redirects are omitted for the sake of simplicity

In summary, whenever a user tries to access a website (or a resource) provided by a service provider, the service provider checks whether the user has a valid session with it.

  • If the session is present then service provider returns the resource directly
  • If the session is not present, the Service provider redirects to the IDP login page with a bundled SAML request.
  • User puts his credentials on the login page after which IDP redirects back to the service provider with a signed SAML assertion.
  • The service provider validates assertion source by verifying the signature and finally gives the user access to the resource along with a temporary session.

That was a lot to process, mostly because SAML request and assertion are just jargons which we don't understand. Let's dig into these to understand further

SAML Request

SAML Request contains information about the service provider which is trying to get authentication done with IDP. IDP may use this info to verify whether the request is coming from the right source or not.

SAML Assertion

SAML assertion is generated by Identity Provider after the User has successfully signed in.

Assertion contains information about the authenticated user like his email address, department, or any other claims. Since it's signed by the Identity Provider, it acts as a certificate for the user claiming the resource.

The service provider is already aware of the Identity Provider, it can verify the signature applied on the assertion and accept the information present in the assertion.

Ok, that's enough theory, let's do some coding.

To make it easy, there is already a Golang library available implemented by crewjam. So you don't need to get into protocol level details of integrating SAML in your service.

package main

import (
    "crypto/rsa"
    "crypto/tls"
    "crypto/x509"
    "fmt"
    "net/http"
    "net/url"

    "github.com/crewjam/saml/samlsp"
)
var metdataurl="https://youridp.com/metadata"  //Metadata of the IDP
var sessioncert="./sessioncert"   //Key pair used for creating a signed session
var sessionkey="./sessionkey"
var serverkey="./serverkey"  //Server TLS 
var servercert="./servercert"
var serverurl="https://localhost"  // base url of this service
var entityId=serverurl     //Entity ID uniquely identifies your service for IDP (does not have to be server url)
var listenAddr="0.0.0.0:443"
func hello(w http.ResponseWriter, r *http.Request) {
    s := samlsp.SessionFromContext(r.Context())
    if s == nil {
        return
    }
    sa, ok := s.(samlsp.SessionWithAttributes)
    if !ok {
        return
    }

    fmt.Fprintf(w, "Token contents, %+v!", sa.GetAttributes())
}

func main() {
    keyPair, err := tls.LoadX509KeyPair(sessioncert,sessionkey)
    panicIfError(err)
    keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
    panicIfError(err)
    idpMetadataURL, err := url.Parse(metdataurl)
    panicIfError(err)
    rootURL, err := url.Parse(serverurl)
    panicIfError(err)
    samlSP, _ := samlsp.New(samlsp.Options{
        URL:            *rootURL,
        Key:            keyPair.PrivateKey.(*rsa.PrivateKey),
        Certificate:    keyPair.Leaf,
        IDPMetadataURL: idpMetadataURL,  // you can also have Metadata XML instead of URL
        EntityID:         entityId,
    })
    app := http.HandlerFunc(hello)
    http.Handle("/hello", samlSP.RequireAccount(app))
    http.Handle("/saml/", samlSP)
    panicIfError(http.ListenAndServeTLS(listenAddr,servercert,serverkey, nil))
}
func panicIfError(err error){
    if err!=nil{
        panic(err)
    }
}
Simple server with SAML auth

This looks fairly easy, you just need to configure it once, then there is no need to care about session management at all. The library does all the handling for you.

Running the program with Azure AD gives the following output

Token contents, 
map[
http://schemas.microsoft.com/claims/authnmethodsreferences:[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password] http://schemas.microsoft.com/identity/claims/displayname:[arpit] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:[arpit] 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:[arpit@testdomain.onmicrosoft.com] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:[Khurana]]

For each identity provider, like Azure, Gsuite, Okta or any other, you will need to configure some parameters

  • Reply URL: This is the URL where Identity Provider will send the assertion. The allowed value has to be configured in the Identity Provider. Value: serverurl/saml/acs Example: https://localhost/saml/acs
  • Entity ID: This ID works uniquely identifies Service Provider in the eyes of the Identity provider. It is sent to IDP in each SAML request for validation. Value: any URL which is not already configured Example: https://localhost
  • Metadata: We need metadata URL in our service to get details of the Identity Provider like login page URL and signing certificate for assertion verification etc. Metadata URL is not supported by all Identity providers, some providers may give a metadata file.

IDP configuration is out of scope for this article. I have added few links for configuring major IDPs in the appendix.

Appendix

Setting up IDP configuration