Goal
This document describes how SAML 2.0 works when using it in the Denodo Platform and how it has been implemented.
Content
Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data between security domains. This protocol is available for REST web services published by Virtual DataPort using the Web Browser SSO Profile Identity Provider initiated with HTTP POST Binding.
Sequence Diagram of IdP-initiated Web Browser SSO initiated with HTTP POST Binding
- An Identity Provider (IdP) is a system entity that creates, maintains, and manages identity information for principals. The Identity Provider offers user authentication as a service.
- The Service Provider (SP) is a system entity that receives and accepts authentication assertions, which in this context are the REST web services published by the Denodo Platform.
- A Web Browser SSO Profile Identity Provider is a specific profile in which a user accesses a Service Provider via a web browser. Notice that in this Identity Provider the presence of a web browser is mandatory.
- Virtual DataPort uses an IdP-initiated Web Browser SSO approach, which means that the user first accesses the IdP and, once the authentication is successful, the IdP redirects the user to the SP.
- There is another approach in Web Browser SSO: SP-initiated. This is when the user first accesses the login page or restricted resource within the SP and then the SP redirects the user to the IdP with a SAML authentication request. This approach is not implemented in the Denodo Platform.
- HTTP POST Binding means that the SAML response is sent to the SP through a POST request.
SAML 2.0 in Virtual DataPort REST web services
- A user builds a URL to send a request to the Identity Provider (IdP). This URL has to include the service to query.
- When the IdP receives the request, it asks for authentication so the user has to enter the credentials.
- If the credentials are correct, the IdP will redirect the user’s browser to a page of the IdP. From this page the user will be able to send a request to a Service Provider. In Denodo’s case. This is the published REST web service.
- The user sends a request to the REST web service from this page. This is a POST request that includes a SAML assertion in the body.
- The Identity Provider builds the authentication response in the form of an XML-document, signs it using an X.509 certificate and posts this information to the service provider.
- The Service Provider, which already knows the Identity Provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint, so the identity of the user is established.
- The REST web service obtains the user name from the attribute “NameID” of the “Subject” of the SAML assertion and uses it to obtain the roles of this user so it knows what this user is authorized to do by searching that user in the Active Directory.
Limitations of SAML 2.0 in Virtual DataPort REST web services
The main limitation of using SAML 2.0 with Web Browser SSO Profile Identity Provider profile is that, as REST is stateless (the server does not store any state about the client session on the server side) so each request must contain all of the information necessary to understand the request and cannot take advantage of any stored context on the server, so it is necessary to send a SAML Identity Provider Initiator request for each access.
Solution Manager SSO
Starting from Denodo 8.0, the Denodo Solution Manager can be integrated with identity providers and provides support for the SAML 2.0 authentication protocol. This option enables Single sign-on (SSO) capabilities, so once a user logs into Solution Manager, the user can directly access applications like Data catalog, Design studio etc.
References
SAML Authentication Configuration for REST Web Services
Invoking Web Services with SAML Authentication
SAML Configuration for Solution Manager SSO
Conformance Requirements for theOASIS Security Assertion MarkupLanguage (SAML) V2.0
Questions
