1

I have a single page web application with offline capabilities (i.e. it can work without access to the application server). I need to provide SAML authentication and, as far as I understand, the Identity Provider will return the response via an HTTP Post to my application server.

I have implemented an HTTP endpoint (Java servlet) that receives the IdP response and assertion and logs the user into the application, but of course, this doesn't work if the application is being used offline.

Is there a way in which I can "process" the SAML response and assertion from within the browser to provide offline authentication?

By "offline" I mean without access to my application's server, access to the SAML Identity Provider would be available. This is so because my application is in the cloud and the Identity Provider is in the customer's network.

Mauricio Peccorini
  • 29
  • 1
  • 6

1 Answers1

2

Question 1: Is there a way in which I can "process" the SAML response and assertion from within the browser to provide offline authentication?

Answer:
No. You can NOT "process" the SAML response and assertion from within the browser to provide offline authentication, because the offline authentication can NOT meet the following two requirements of SAML authentication or SAML identity federation.

(1) SAML is an HTTP-based protocol, which relies on using a user agent (such as a web browser) to redirect SAML request from a SAML Service Provider (SP) to a SAML Identity Provider (IdP) and redirect SAML response from a SAML IdP to a SAML SP.

The browser delivers the SAML response and assertion from the SAML IdP to an Assertion Consumer Service endpoint at the SAML SP of your application.

(2) The SAML SP of your application does not know who the user is until it receives the SAML assertion from the SAML IdP.

Upon receiving the SAML assertion, the SAML SP needs to validate that the assertion comes from a valid SAML IdP and then parse the necessary user information (e.g., username, attributes, etc.) from the assertion so that your application can grant the user access based on the user information carried by SAML response and extract by SAML SP.

Without SAML SP hosted by your application server, your application can NOT accomplish the SAML authentication.

Question 2: By "offline" I mean without access to my application's server, access to the SAML Identity Provider would be available. This is so because my application is in the cloud and the Identity Provider is in the customer's network.

Answer:
SAML leverages a user agent (such as a web browser) to redirect SAML request from a SAML Service Provider (SP) to a SAML Identity Provider (IdP) and redirect SAML response from a SAML IdP to a SAML SP, therefore, SAML allows that your application is in the cloud and the Identity Provider is in the customer's network.

For example, I have used the local Shibboleth IdP (a SAML IdP in the customer's network) to log into Amazon AWS admin console (an application in the cloud)successfully, as indicated by my answer to another StackOverflow question ExpiredTokenException when I SAML SSO login AWS from my local IdP.

In conclusion, you can use "the Identity Provider is the customer's network" to authentication "your application in the cloud". However, SAML SP of your application needs to "process" the SAML response and assertion, validate the signature of SAML response/assertion and extract the user information from the SAML response/assertion.

In other words, you can NOT rely on a web browser to "process" the SAML response and assertion, because the web browser can NOT store public cert/key of SAML IdP to validate the signature of SAML response/assertion.

winstonhong
  • 1,214
  • 8
  • 8