Current location - Quotes Website - Signature design - Too detailed! I finally understand what SAML and OIDC are talking about in SSO.
Too detailed! I finally understand what SAML and OIDC are talking about in SSO.

Before understanding what SSO is, we need to understand two concepts: Authentication & Authorization.

Authentication (also known as AuthN, identity verification) refers to the process of verifying that "you are who you say you are", which means that this process is to prove that you are you. Generally speaking, there are several ways:

Authorization (also known as AuthZ, authority verification), which refers to the process of verifying that "you are permitted to do what you are trying to do" , which means that this process is to prove whether you have the permission to do this, such as modifying a table, etc. If you do not have permission, a 403 error code will usually be returned.

Before the emergence of SSO, users needed to register multiple accounts in different systems to log in, and then needed to remember multiple usernames and passwords. If these systems were on the same platform, In fact, the platform also needs to maintain multiple sets of almost identical login systems, which puts a burden on both users and the platform.

SSO is an authentication scheme. SSO allows users to use the same account to log in to different systems, which solves the above problems well. Not only can it realize login to a single platform, but if a system outside a certain platform trusts the platform, then the external system can also integrate the SSO of this platform. For example, most websites now provide the function of logging in with a Google account.

To implement SSO, first you need the system you are developing to trust the user information provided by this third-party login system, and then you need to connect with it according to certain standards and protocols. Next we will introduce two The more commonly used SSO protocols-SAML 2.0 and OIDC.

What is SAML 2.0

SAML is the abbreviation of Security Assertion Markup Language. It is an open standard protocol based on XML and is used between Identity Provider (IDP for short) and Authentication and authorization data are exchanged between service providers (Service Providers referred to as SPs).

SAML 2.0 is the latest version of the protocol and was approved for implementation by the Organization for Structured Information Standards (OASIS) in 2005.

Process

SAML flow

SAML Assertion

So what is this SAML Assertion?

First of all, why can users access resources on the SP? It must be because the SP actually also has a user's information, which may contain the user's account information, permissions, etc., but now the user's information is provided by the IDP, so what needs to be done now is to map the two user information. , so that the SP knows which user the IDP provides.

The mapping convention is a configuration when SP and IDP are integrated. This configuration is called metadata.

There are two copies of this configuration, one on each side, which stipulates how to map user information, signed certificates, etc. IDP and SP will exchange these two metadata through other methods.

So in fact, SAML Assertion contains the user's unique identifier, which can prove who the user is. After the SP gets this information, it will follow some rules to verify whether the information inside is a legitimate user.

So the question is, what if the middleman knows the rules between us and randomly inserts a piece of information? So in fact, in addition to the user information, the SAML Assertion also contains the signature of the IDP. The SP will only trust this information after parsing the signature inside and confirming that it is correct.

After knowing what SAML Assertion is, we still need to figure out how it is sent. To figure out how they are sent we need to know something called binding method.

SAML 2.0 has many different bindings, which are actually the interaction methods of SAML Assertion:

Among them, the first three are more commonly used now, and they are all based on the HTTP protocol. realized.

metadata

As mentioned above, metadata is for IDP and SP to understand the information exchanged with each other, and there are some security considerations. The main information inside is:

There is a field md: KeyDescriptor. There is an encryption in SP. When SP and IDP communicate to establish trust, IDP will get the key encrypted by SP. After the user logs in successfully, IDP will use this key to encrypt SAML. Assertion, the SP decrypts it with its own private key after getting it. Another field called signing will be used to parse the other party's signature to identify whether the Assertion was sent by the person I want.

What is OIDC

OpenID Connect (OIDC) is a simple identity layer built on top of the OAuth 2.0 protocol, which allows computing clients to perform authentication based on authorization servers to JSON is used as the data format to verify the identity of the end user. It is the third generation specification of OpenID, preceded by OpenID and OpenID 2.0. It adds ID Token based on OAuth 2.0 to solve the problem of third-party client identification user identity authentication.

Its structure is shown in the figure:

image-20200601085202978

As can be seen from its structure diagram, in addition to the core implementation, OIDC also provides A series of optional extended functions. For example:

Since the pictures are quite old, OIDC now also provides many optional extensions, which can be viewed on the official website.

Process

Since OIDC is based on OAuth 2.0, OIDC also has a variety of flows.

Due to space limitations, I will explain Authorization Code Flow in relatively detail here. Before we start, we need to clarify a few names:

Authorization Code flow

Implicit Flow is in OP redirect EU When arriving at RP, ID Token and Access Token (if necessary) will be brought instead of Authorization Code. At the same time, there will be some differences when sending requests. Some other parameters need to be brought. I will not go into details here. In general The process is almost the same, details can be found here

Hybrid Flow can be understood as the combination of the above two flows. When OP redirects EU to RP, it will bring the Authorization Code, and at the same time, it will be based on the Response Type parameter when sending the request. Different parameters will also be included. The specific process can be found here

Related articles
  • The boy's name is Weng Zi, followed by a word. Which name sounds good?
  • What should I do if the unit leader retires but doesnĄ¯t want to vacate the unit office?
  • Created out of nothing - Mercedes Benz C-Class AMG BERLIN2000 car model
  • The most classic mood sentence signature
  • My Little Pony character horoscope
  • Why doesn't Davis wear his own combat boots?
  • Typical stories of epidemic prevention and control 1500 words
  • Responsibility book for helping and educating
  • Study hard and raise the background of the times every day.
  • Can the strength of dark Zaki become the strongest dark Altman on land?

    • copyright 2024 Quotes Website All rights reserved