Security Resource Hub
Identity and Access Management

Topic 3: SAML / OAuth / OIDC

Complete & Continue Next Lesson Learn More

Working with SAML (Security Assertion Markup Language)

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). It enables single sign-on (SSO) and federated identity management in distributed computing environments.

  • Authentication Request: The process begins when a user attempts to access a service or application hosted by a service provider (SP). Since the user is not authenticated, the SP initiates an authentication request to the identity provider (IdP), where the user's identity is managed.

  • SAML Request: The SP generates a SAML authentication request, which includes metadata about the requested service, the user's identity, and other relevant information. The request is encoded as a SAML protocol message and sent to the IdP's SAML endpoint using the HTTP POST or HTTP Redirect binding.

  • User Authentication: Upon receiving the SAML request, the IdP prompts the user to authenticate using their credentials (e.g., username and password, MFA). The IdP verifies the user's identity and credentials against its identity store (e.g., LDAP, Active Directory) and authenticates the user.

  • SAML Response: After successful authentication, the IdP generates a SAML response containing an assertion (also known as an authentication assertion). The assertion includes information about the user's identity, authentication status, attributes, and other security-related details. The IdP digitally signs the assertion to ensure its integrity and authenticity.

  • SAML Assertion Delivery: The IdP sends the SAML response containing the assertion back to the SP using the same binding (HTTP POST or HTTP Redirect) as the authentication request. The SAML response is transmitted over the existing user-agent (e.g., a web browser) session between the user and the SP.

  • Assertion Verification: Upon receiving the SAML response, the SP verifies the digital signature on the assertion to ensure its integrity and authenticity. The SP also validates the SAML response against the request to ensure it matches the expected parameters and prevents replay attacks.

  • User Access Granted: If the SAML assertion is valid and trusted, the SP grants access to the requested service or application to the user. The user is now authenticated and authorized to access the protected resources hosted by the SP.

SAML enables secure and seamless authentication and authorization by facilitating the exchange of authentication and authorization data between identity providers (IdPs) and service providers (SPs) using XML-based SAML assertions. This allows users to access multiple services and applications with a single set of credentials while maintaining security and privacy.

Working with O-Auth

OAuth (Open Authorization) is an open standard protocol that allows users to grant third-party applications restricted access to their resources without sharing their credentials directly.

Participants

  • Resource Owner (User): Can grant access to its protected resources. Typically, this is the end-user.

  • Client: An application requesting access to protected resources on behalf of the resource owner.

  • Authorization Server: Authenticates the resource owner and issues access tokens after successful authorization.

  • Resource Server: The server hosts the protected resources that the client wants to access.

Workflow

  • Authorization Request: The client initiates the OAuth process by redirecting the resource owner to the authorization server's endpoint. The client includes its client ID, requested scope (permissions), and redirect URI in the authorization request.

  • Authorization Grant: The resource owner authenticates with the authorization server and approves the client's access request. The authorization server validates the resource owner's credentials and consent and generates an authorization grant.

  • Access Token Request: The client sends an access token request to the authorization server's token endpoint, including the authorization grant obtained in the previous step. The client authenticates to the authorization server using client credentials (client ID and client secret).

  • Access Token Issuance: The authorization server verifies the authorization grant and issues an access token if the grant is valid. The access token represents the client's authorization to access the requested resources on behalf of the resource owner.

  • Accessing Protected Resources: The client offers the access token to the resource server when requesting access to protected resources. The resource server validates the access token and grants access to the requested resources if the token is valid and authorized.

  • Token Expiration and Refresh: Access tokens are typically short-lived and have an expiration time to mitigate security risks. If an access token expires, the client can use a refresh token (if provided) to obtain a new access token without requiring the resource owner's interaction.

OAuth Grant Types

  • Authorization Code Grant: Used by web and mobile applications to obtain access tokens after receiving authorization from the resource owner via the authorization server's authorization endpoint.

  • Implicit Grant: Deprecated due to security concerns and used by client-side applications (e.g., JavaScript) to obtain access tokens directly from the authorization endpoint.

  • Resource Owner Password Credentials Grant: Allows clients to exchange the resource owner's username and password for an access token, typically used for trusted applications.

  • Client Credentials Grant: Allows clients to obtain access tokens using their credentials (client ID and client secret) without involving a resource owner, suitable for server-to-server communication.

OAuth Security Considerations

  • Protect client secrets and access tokens from unauthorized access.

  • Encrypt communications between clients, authorization servers, and resource servers using HTTPS.

  • Validate and secure redirect URIs to prevent open redirect attacks.

  • Implement proper token validation, expiration, and revocation mechanisms to prevent misuse and leakage.

Working with OpenID Connect (OIDC)

OpenID Connect (OIDC) is an authentication layer built on OAuth 2.0. It enables clients (apps) to authenticate users and obtain their identity information securely.

Workflow

  • Client Registration: Clients register with an authorization server to obtain credentials.

  • Authentication Request: Clients redirect users to the authorization server's authentication endpoint.

  • Authentication and Consent: Users authenticate with the authorization server and may grant consent.

  • Token Exchange: Clients exchange an authentication code for an ID token and, optionally, an access token.

  • Token Validation: Clients validate the ID token to ensure its integrity and authenticity.

  • User Information Request: Clients may request additional user information from the UserInfo endpoint.

  • Accessing Protected Resources: Clients use access tokens to access protected resources hosted by the resource server.

OIDC endpoints include the Authorization, Token, and UserInfo endpoints. OIDC supports authentication flows like the Authorization Code, Implicit, and Hybrid flows. Security considerations include protecting client secrets, using HTTPS, implementing proper token validation, and securely managing user identity information.