If users login with FIDO2 to Cloud, they can sign (SSO) to Web Applications without any additional authentications. SSO without passwords must be adopted for this purpose. SAML is the most useful protocols today by use of PKI (Publik Key Infrastructure) technology. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data or simply ID Federation between an identity provider (IdP) and a service provider (SP). By use of SAML, users can conduct Single Sign On (SSO) from IdP to SP, without additional authentication or login to SP. SP is said to be ID-federated from IdP.
SSO Symbolic Diagram (IdP ----> SP)
In order to express ID federation between SP and IdP, the federation arrow is used from IdP to SP, since IdP plays a important role for user authentication , whild SP relies on authentication of IdP.
SP-initiated SSO
There are two primary types of SAML providers, SP-initiated, and IdP-initiated. When a user tries to login to SP, the SP needs the authentication from the IdP to grant authorization to the user instead of providing self authentication. In such a way, the user can login to SP without any further authentication, if the user was authenticated by IdP.
IdP-initiated SSO
IdP-initiated SSO is to login to IdP site at first. In Azure AD case, there is a access site, which list up all the apps to be federated. User can click one of apps icon to further login to the apps. In IdP-initiated case, there does not need any further authentication because of ID federation to the listed apps. SSO based on SAML, SAML protocol works behind login to the apps and users can achieve SSO to the apps.
SP Initiated SSO (from IdP to SP)
(Note)
- "Assertion Token" are usually transferred from IdP to SP, to show authenticate, attributes, and authorization of IdP. Assertions contain statements that SP use to make access-control decisions. Authentication is one of statements, which assert to SP that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Assertion Token is verified by SP using IdP public key attached in IdP cetificate and SP starts to provide service.
- "SAML Metadata" defines an XML schema for expressing IdP and SP information (endpoint URL for receiving messages, bindings to be used, etc.). It can be used to build a trust relationship between IdP and SP.
- "IdP certificate", issued by certificate authority or IdP itself, provides a IdP public key to verify a signature in Assertion Token sent from IdP to SP.
SAML Protocol (SP-initiated SSO)
① The user accesses the remote SP using a link on an intranet, a bookmark, or similar and the application loads.
② SP identifies the user’s origin and redirects the user back to IdP asking for authentication as the authentication request.
③ The user either has an existing active browser session with IdP or establishes one by logging into IdP.
④ IdP builds the authentication response in the form of "Assertion security token", an XML-document containing the user’s username or email address, signs it using an X.509 certificate, and posts the security token to IdP. SP verifies Assertion token by a public key in IdP certificate, which has been sent in advance.
⑤ The identity of the user is established and the user is provided with SP access.
X.509 certificate
X.509 is a standard defining the format of public key certificates. An X.509 certificate contains
- a public key
- an identity
- signature of certificate authority or self-signed
where attached public key will be used for crypted communication with corresponding private key. In SAML, the certificate is sent from IdP to SP where the attached public key is proved to be correct by verifing the attached signature by corresponding public key of certificate authority sent in advance from ceritificate authority.