Geek Answers Handbook

LDAP and SAML authorization

I am currently studying the move of an asset tracking system from LDAP to SAML. There are two main areas in which our software currently uses LDAP. The first is authentication. To access the system today, you need to successfully authenticate with LDAP and be a member of a specific LDAP group. This part is pretty easy to upgrade to SAML. We used the library to handle most of the dirty work. And in the IDP we can add a request for user authorization. But our second use of LDAP throws me into a loop.

Today, every asset that we support has the ability to bind to a username. For example, a particular printer might belong to "someuser." One of the options provided by our software is to view / interact with assets based on LDAP user groups. Therefore, as an administrator, I can update all printers owned by people in a specific department. To do this, the administrator will create a rule that is bound to the LDAP group groupInQuestion. Then our software will use the service account to connect to LDAP, create a request to find out which users from our system are in "departmentInQuestion", do this and use the results to determine which assets should receive the update.

So far, I have not been able to find a SAML workflow similar to this. It seems that the only opportunity we have to challenge is when they authenticate and we gain access to their statements. But in our workflow, "someuser" can never authenticate with us. It is almost as if we were using user authorization on behalf of the service account. Is there an existing workflow that I forgot during my research? Are there any other technologies that support authorization this way?

Thanks for any input!

+7
authentication authorization ldap saml
source share
2 answers

SAML is like a passport or visa. He has (trusted) information about you, which can be used to obtain information about you (for example, your name, DOB) and conclude that you can receive (for example, entry into the country). You can use the properties in the token to request other systems for additional information that you could associate (for example, in a bank statement).

Thus, similarly, SAML is usually used to authenticate users in the system (as soon as you trust its source), but there are no provisions for managing user profiles or "resources".

Authorization decisions, if any, are often performed based on attributes associated with the user (for example, the group to which he belongs), and are transmitted at security points in the security token.

Perhaps the first questions to answer are why you want to move away from LDAP and think about SAML. Is it because you want users to register with their credentials? This is because you generally want to get rid of the LDAP server.

You can well keep your LDAP server for managing resources associated with users and authenticate users elsewhere. This is what you have now. You would map users "outside" and "inside" using a common attribute (for example, username or some identifier).

If you want to completely get rid of LDAP, you will need a place to store this information (for example, the application database).

+10
source share

Based on the Eugenio Pace and, in particular, following this paragraph:

Thus, similarly, SAML is usually used to authenticate users in the system (as soon as you trust its source), but there are no provisions for managing user profiles or "resources".

Authorization decisions, if any, are often performed based on attributes associated with the user (for example, the group to which he belongs), and are transmitted at security points in the security token.

What Eugenio means here is ABAC - attribute-based access control. SAML does not do this. You need XACML to achieve ABAC. Both SAML and XACML are OASIS-defined standards that interact with each other. With XACML, you can define rules based on attributes. For example, we could go back to your example and write a rule as follows:

  • A user with the role == administrator can perform the action == update on the type == printer resource if and only if the user department == printer department .

You can learn more about XACML on ABAC at these sites:

+4
source share

More articles:


All Articles