DEV Community

Cover image for IDP init SAML SSO login flow
Laslo Pastor
Laslo Pastor

Posted on • Edited on

IDP init SAML SSO login flow

This article covers the initiation of the Identity Provider (IDP) over Security Assertion Markup Language (SAML) Single-Sign-On (SSO) login flow, serving as a quick setup guide. If you have any comments or suggestions, please feel free to reach out to me.

Use case:
Is IDP init right for my organization?

  • Simplifies experience by requiring an identification process before accessing any Service Providers (SPs).
  • Ensures a consistent user experience across various channels and services.
  • Establishes a centralized hub for maintaining a consistent level of security across all resources, incorporating Multi-Factor Authentication (MFA), biometric verification, or adaptive login.

I will try to explain possible scenarios with Azure Microsoft Entra ID (AEID) and WSO2 IS platform.
Both can be used for free. Microsoft Entra ID has a free tier and WSO2 is open source and the version downloaded from the site can be used free for preproduction env.

Setup WSO2 IS

  1. Download it, unzip it, setup JAVA_HOME, run it. (a good place to start is WSO2 IS documentation

Note: WSO2 IS version 7 will be released by the end of Nov 2023. The full B2B concept will be implemented as a first-class citizen functionality. This concept started first in the WSO2 SaaS platform [Asgardeo].(https://wso2.com/asgardeo/)

After logging in to IS, you will be at the root organization level.

  1. go to https://localhost:9443/console (if you haven't changed anything in /repository/conf/deployment.toml file the platform should run on the default 9443 port) and log in with admin/admin (username/password)

Image description

  1. Create the organizational structure (ORG_A, ORG_B,ORG_C,ORG_D)

Image description

  1. Create an application at the root level in my case with the following settings

Image description

Image description

name : Simple SAML app

Issuer: simple_saml_app

Assertion consumer service URLs:
http://localhost.com:8080/saml2-web-app-pickup-manager.com/home.jsp

Note: Issuer is used to uniquely identify your service/application, while Assertion consumer service URLs is URL where your application will receive SAML assertion from IDP. In my case, I'm using the demo application found on WSO2 Samples page.

Finally, shared the application with ORG_D.

Note: You need to check it the 'Enable IdP initiated SSO' in the Protocol tab.

Setup Azure

  1. Go to Azure/MS Entra ID/Enterprise application/ and create a new one by clicking on the 'Create your own application' button. In my case, I named it IDPInit. Choose 'Single sign-on from the left menu and choose SAML application.

Image description

Edit Basic SAML Configuration with the following:

Identifier: IDPInit

Reply URL (Assertion Consumer Service URL):
https://localhost:9443/samlsso?spEntityID=simple_saml_app&fidp=OrganizationSSO&org=ORG_D

Image description

Note: If you want to change from the SAML application and redirect login flow to the OIDC application the Reply URL should look like this:
Reply URL (Assertion Consumer Service URL):
https://localhost:9443/oauth2/authorize?client_id=[oidc_app_client_id]&fidp=OrganizationSSO&org=ORG_C&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fpickup-manager%2Foauth2client&response_type=id_token&scope=openid

Download the Certificate (Base64) and Federation MetadataXML and save it (you will need later)

Image description

Go back to WSO2 IS

Switch to sub-Organization D and create a new Standard based connection with SAML protocol.
name: IDPInit (same as we defined in Azure)

Image description
Service provider entity ID: IDPInit
Upload the XML metadata we downloaded from Azure.

Image description
Upload the downloaded certificate.

Image description

Go to the application, and choose the Simple SAML app.
In Sign-in Method and in Classic Editor choose 'Start with Default configuration'.

Image description
Remove 'Username and password; and add 'IDPInit' Authentication connector

Image description

Back to Azure Again

Assign a user(s) that should have the right to log in with the IDPInit application.

Image description

while you are there note the attributes and claims that will be passed in SAML accertion.

Image description

In the Properties section, you will find the User access URL link that can be used to initiate the flow. This is the link that your application will redirect the user to start the login flow.

Image description

Claims mapping

When you finish the login flow, the following popup will indicate that the required claim received from SAML assertion is not mapped to the application.

Application popup

Fill out the claim mapping in the WSO2 'IDPInit' Authentication connector

Claim mapping in wso2 connector

The correct values for External IdP Attribute can be found on Azure in Attributes & Claims section.

Attributes & Claims section in Azure

Good luck!

Top comments (0)