SAML is nicely explain in the various internet sites and YouTube
videos, so my job here is to make you understand with simple example of generating SAML Token with Self Signed Certificate.
So lets start with realizing the need of SAML which will help you to recollect your previous knowledge on SAML or to fill the empty brains with basic understanding...
So lets start with realizing the need of SAML which will help you to recollect your previous knowledge on SAML or to fill the empty brains with basic understanding...
So let’s imagine the below system:
Scenario 1 |
There’s a CRM system consisting of multiple application and
an employee of the company wants to connect to one of the app. The CRM has a
big database which will validate if the user has logged in with right
credentials and if positive will grant access to the application. Simple – Isn’t
it?
But here is the problem of different entities -
Problem of company’s admin – Oh! Employee left the company. I
have to make sure he has no more access to company’s different applications in
the CRM (he might have access to the social media applications). My routine job
-
- Go to CRM check what applications user has access to. May be Admin also directly no access to CRM database?
- Set the flag to no access for company’s applications
- Set the flag for some applications to read only in case of role change
- Etc.etc.
Problem of Employee – Damn! I have to remember hell lot of
usernames and password. Is someone can really fish my account?
Problem of CRM Admin – Ah! The population is increasing day
by day and so my database is. I am tired of maintaining it.
Here are different SSO configurations:
- Kerberos-based.
- Smart-card-based.
- Integrated Windows Authentication.
- Security Assertion Markup Language.
- Mobile devices as access credentials.
And different ways of implementing it. (Believe me its a never ending ocean...so will see later :P) Now lets talk about SAML and SAML Token.
What is SAML?
➤ Security Assertion Markup Language, its a secure XML based communication mechanism, basically used for communicating identities between organization.
Per Wiki -
➤ SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions.
HOW SAML helps further?
1. Security - saving one from identity theft, fishing by eliminating the number of times user need to login over the internet with different credentials for different applications.
2. Access - User has to no longer type in the password. They just have to click on the app link and simply get into application. Interesting??
3. Administrator work - No need of resetting the lost password, no help desk work.
Okay, enough of theory, Just tell me how to generate SAML Token -
For generating a SAML token you need a certificate from certificate authority (CA) or you may generate a self signed certificate. There are different way of generating a self signed certificate, here I have used power shell command to get one for me.The SAML token I have generated is self signed.
Run power-shell as an administrator and type below command with desired parameters -
New-SelfSignedCertificate -Type Custom -Provider "Microsoft
RSA SChannel Cryptographic Provider" -Subject
"CN=CSNB0466.ap.mydomain.local" -KeyExportPolicy Exportable -KeySpec
KeyExchange -KeyUsage DigitalSignature -KeyAlgorithm RSA -HashAlgorithm sha256 -KeyLength 4096 -CertStoreLocation
"Cert:\LocalMachine\My" -FriendlyName "X509_Latest"
Refer https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
to specify more parameters.
or you may use - https://www.samltool.com/self_signed_certs.php
This will generate the self signed certificate in store (Run -> MMC -> Add snap ins -> certificate -> Computer Account -> Local Compuyter -> ok).
Once you get the certificate, you are all set to generate a SAML token and signed it.
So here is my Dot Net Code -
Note - Thumbprint in the certificate can uniquely identify the certificate or its the combination of serial number and issuer distinguish it.
So lets say you got your serial and issuer and some other parameters to pass it an input -
CertificateIssuer = "CSNB0466.ap.mydomain.local",
CertificateSerial = "13cabac0deffd69146f5fe0c1863f7de",
ServiceProviderNameQualifier = "http://localhost:8080/Portal/Local/",
SubjectId = "2299091d61e8d9e43cc1e26abf7fe769f1991f8e",
SubjectNameQualifer = "https://idp.fpehealth.rzv.de/idp/shibboleth",
SubjectRole = "Physician",
TokenRecipientUrl = "http://localhost:8080/Portal/"
CertificateIssuer = "CSNB0466.ap.mydomain.local",
CertificateSerial = "13cabac0deffd69146f5fe0c1863f7de",
ServiceProviderNameQualifier = "http://localhost:8080/Portal/Local/",
SubjectId = "2299091d61e8d9e43cc1e26abf7fe769f1991f8e",
SubjectNameQualifer = "https://idp.fpehealth.rzv.de/idp/shibboleth",
SubjectRole = "Physician",
TokenRecipientUrl = "http://localhost:8080/Portal/"