Layer7 API Management

  • Private Community

  • 1.  SAML Web SSO - Gateway acting as Service Provider

    Posted Aug 13, 2015 11:26 AM

    Hi,

     

    I am looking for some documentation for Gateway to work as Service Provider (SP) in the SAML Web SSO Usecase. I did find the Salesforce integration documentation where Gateway is acting as Identity Provider (IDP). I am trying to build a working web sso scenario in my local environment where one gateway acts as SP and another gateway as IDP.                                                 

     

    Thanks,

    Atul Raut



  • 2.  Re: SAML Web SSO - Gateway acting as Service Provider
    Best Answer

    Broadcom Employee
    Posted Aug 13, 2015 11:34 AM

    Hi Atul,

     

    I have attached a couple of example policies (one for IDP and one for SP). These examples should give you an idea of how this would work. Let me know if you have additional questions.

     

    Greg Thompson

    Attachment(s)

    zip
    saml_identity_provider.xml.zip   3 KB 1 version
    zip
    saml_service_provider.xml.zip   3 KB 1 version


  • 3.  Re: SAML Web SSO - Gateway acting as Service Provider

    Posted Aug 13, 2015 01:27 PM

    Thanks Greg. Good to interact with you again :-) ( I hope you remember me from the GE pilot).

     

    I was able to get the Web SSO Usecase working in my local with the policy examples uploaded by you. Thank you. I just have one question on the flow. May be my understanding of the flow may be wrong. When the Service provider redirects the request to IDP for Authentication, SP sends the SAMLP request to IDP. In the policy example, SP does send the SAMLP request. However, I don't see any logic on the IDP side to validate the SAMLP request (Process SAML Authentication Request assertion). By the usual usecase do we need to validate the SAMLP Request?

     

    Thanks and Regards,

    Atul Raut



  • 4.  Re: SAML Web SSO - Gateway acting as Service Provider

    Broadcom Employee
    Posted Aug 13, 2015 01:36 PM

    Hi Atul,

     

    Yes, I remember you well! I hope you having been doing well. It's definitely good to interact with you again!

     

    In terms of validating the SAMLP Request, yes, you would typically want to have some additional policy to do the validation to check for proper signing and any restrictions. The example I provided omits that just to show the basic flow. You would want to add the Process SAML Authentication Request assertion and perhaps do some additional checking to ensure you are receiving a proper and legitimate SAML request.

     

    Thanks,

    Greg



  • 5.  Re: SAML Web SSO - Gateway acting as Service Provider

    Posted Aug 20, 2015 04:51 PM

    Hi Greg,

     

    Do you have any production version of the SP and IDP policies? I tried adding "Process SAML Authentication Request" in the policy but it kept giving me the below error -

    WARNING9232Invalid AuthnRequest: 'Not an AuthnRequest'.

     

    Thanks,

    Atul Raut



  • 6.  Re: SAML Web SSO - Gateway acting as Service Provider

    Posted Feb 24, 2016 08:09 PM

    I would also be interested in seeing a beefier version of both the SP & IdP policies attached above (but more specifically, in my case, the SAMLP Request validation aspect)

     

    Regards,

    Jeff Michaud