Authentication is playing the vital role in cloud based applications. Now a days users
does not interested to memorise each password for each cloud application and
Nobody wants to store their password in application platform. To overcome
this any application which implemented to
support SAML based authentication can configure with any SAML based IDP
(Identity Provider).
There are so many Cloud IDPs (Salesforce, PingOne, One
Login, etc.) and hosted IDPS (Open AM, Open Select, Shibboleth, etc.)
Applications are authenticating with above IDPs using SAML.
SAML authentication involves following three
entities.
- Service Provider
- Client
- Identity Provider
Security Assertion Markup Language (SAML) is an XML standard
that allows secure web domains to exchange user authentication and
authorization data. Using SAML, an online service provider can contact a
separate online identity provider to authenticate users who are trying to
access secure content. There are three major components for SAML
authentication.
( a) Client
(Users)
This is the user who can login in to any
cloud application.
( b) Identity
Provider (IDP)
Identity
Provider is responsible for
I.
Providing identifiers for users looking to
interact with a system
II.
Asserting to such a system that such an
identifier presented by a user is known to the provider
III.
Possibly providing other information about
the user that is known to the provider.
IV.
An identity provider is a trusted provider
that lets you use single sign-on to access other websites
( c) Service
Provider (SP)
In the use case addressed by SAML, the
principal requests a service from the service provider. The service provider
requests and obtains an identity assertion from the identity provider. On the
basis of this assertion, the service provider can make an access control
decision – in other words it can decide whether to perform some service for the
connected principal.
To Configure SAML authentication we need to
setup things in Identity provider and Service providers
1) Should have
Service provider metadata i.e., Our Application data to register in Identity provider
2) Should
register SP in Identity provider will get information about registration by
Identity providers documentation. Need to get IDP metadata to register IDP in
our application(SP).
3) In our
application we should register IDP with
IDP metadata.
After configuring the SAML authentication need to verify the
following test cases.
·
Login
Users
should be able to login into their application using the configured IDPs
password (Salesforce credentials) .
·
Logout
Users
should navigate to configured or IDPs logout pages.
·
Change password
Users
should able to change their IDPs password from SP and it should get effected in
IDP systems and vice versa.
·
Session Management
Login
session management should respect the both IDPs and SPs session timeouts
·
SSO-support
If
the user is already had a session in IDP
or another SP which uses same IDP then he should not ask for credentials again
to login into application.
·
Forgot Password
Forgot password page is maintained by IDPs
only.
No comments:
Post a Comment