User Authentication in concert with SAML assertions

By: Zach Tubb user 10 Aug 2017 at 3:12 p.m. CDT

4 Responses
Zach Tubb gravatar
We have stood up a Gluu server to use for SSO for a variety of applications. We have successfully integrated SAML authentication with one of apps but are unclear how to perform user authentication in Gluu. Currently the flow goes something like: 1. User hits app url 2. User is redirected to Gluu login page 3. User authenticates with Gluu user credentials 4. If successful, user is redirected back to app and logged in there. We want to discriminate users between steps 3 and 4. We see the ability to add/edit user groups within the Gluu admin console but don't see any way to discriminate SAML assertions based on group or other user property. Does Gluu come with this capability? We don't have an external AD or LDAP we are using. We are just using the internal Gluu OLDAP implementation.
CentOS72
closed

Answers

By Aliaksandr Samuseu staff 10 Aug 2017 at 4:58 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Zach. You'll need to clarify a bit what do you mean by "discrimination" here. It seems you are looking for some kind of authorization capabilities. Like, depending on user, it should, or should not respond with success, or may be it should send different set of attributes. Is it what you have in mind? When it comes to SAML, Gluu doesn't offer any easy-to-use authorization options. You need to do all access rights' checks at your SP, based on the response from Gluu. It's surely possible to configure Shibboleth IdP (which is used by Gluu for SAML-related things internally) to do some kind of authorization, but it will require to edit its config files on disk (no web UI support), and such things are not covered by Community support. You can try Shibboleth docs/forums for details. Those groups you may see are used mainly with [UMA](https://gluu.org/docs/ce/3.0.2/admin-guide/uma/) flows. So, in short, if you need Gluu to handle authorization, it's recommended to use UMA (you can use oxd server, our other product, to add UMA capabilities to app you want to protect), or try to reconfigure Shib IdP, if you have to use SAML.

By Zach Tubb user 10 Aug 2017 at 5:19 p.m. CDT

Copy
Zach Tubb gravatar
Ok, yes it seems the best practice is to use the SP as the authorization authority (correct me if I'm wrong on that). So what would be the recommended way to modify local Gluu users to pass along an identifying attribute to the SP so that it can make a decision on user access?

By Aliaksandr Samuseu staff 10 Aug 2017 at 5:53 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
>yes it seems the best practice is to use the SP as the authorization authority (correct me if I'm wrong on that) It's usually like this, correct. Unless you have some special requirements. >So what would be the recommended way to modify local Gluu users to pass along an identifying attribute to the SP so that it can make a decision on user access? Not sure I can fully see your intentions currently. May be you could provide detailed step-by-step of algorithm you want to implement? At the moment, when it comes to SAML, administrator web UI will allow you to create Trust Relationship with your intended SP, and specify a list of attributes you wish to release to it. Then any user sent to Gluu from this SP, if authenticated successfully, will be sent back to SP with SAML response containing all these attributes. Anything else will require to edit Shib's configuration files on disk. There are more options to control what is returned to requester if OpenID Connect is used, but for SAML that's it.

By Michael Schwartz Account Admin 10 Aug 2017 at 9:16 p.m. CDT

Copy
Michael Schwartz gravatar
You should schedule a meeting at http://gluu.org/booking and we can discuss your options. Alex is correct that OAuth is better for centralized policy management. If you stuck with SAML, you have to make the app smarter. Or perhaps use a proxy.

Post an answer