So, we’ll be seeing how miniOrange provides its broker services. Earlier we have seen how identity broker works and provides a platform where we can configure Service Providers and Identity Providers following different protocols.
To better understand how Identity Broker works, we'll consider some of the examples and see how it goes.
Authenticate mobile application through ADFS using JWT Tokens
For this we’ll take ADFS as our Identity Provider which supports SAML protocol and an external application “Cordova”. We’ll authenticate our mobile application through ADFS using JWT Tokens. miniOrange provides a solution which allows you to login to your mobile application with ADFS.
Configure any OAuth Provider with applications supporting different protocols
You can configure any OAuth Provider like Salesforce, Slack, Meetup which supports OAuth to Single Sign-On (SSO) into apps that supports other protocols like SAML, OpenID Connect, JWT, etc. using our Identity Broker service.
Setup Active Directory as User Store and configure any application
You can configure any Identity Provider like AD, OpenDS which supports LDAP to single sign-on into applications which doesn’t support any protocol or supports protocols like OAuth, OpenID Connect, JWT, etc. for single sign-on.
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains communication of identities and organization. SAML is a framework for exchanging user authentication and authorization data. Using SAML, a service provider can contact a separate identity provider to authenticate users who are trying to access secure content.
The SAML specification defines three roles:
The principal (typically an user)
Identity Provider creates, maintains and manages identity information and provides authentication to other service providers. It issues an authentication assertion in SAML SSO. The Identity Provider can functions as an authentication and an attribute authority by including attribute assertion in the response.
Service Provider act as a relying party in SAML SSO which receives and accepts authentication and authorization(assertion) from identity provider. Service Provider provides services to principals or other system entities.
The most use case addressed by SAML is web browser SSO. SAML SSO works by transferring a users identity from one place(identity provider) to another(service provider) by exchanging the digitally signed XML documents. Let's assume the user is in the SSO environment and act as an identity provider where he wants to log in to a remote application(the service provider).
- The user loads the application by clicking on the link to application or similar.
- The application identifies the user origin either by application subdomain or user IP address and sends an authentication request by sending the user back to the identity provider for authentication.
- The user either has been registered with the identity provider or established new logging with the identity provider.
- The identity provider post an authentication response in the form of a base64 encoded XML document contains the user's attributes and signs it with X.509 certificate to the service provider(application).
- The service provider(which already knows the identity provider) retrieves the authentication response and validates it using the certificate signature.
- And the user relation established.