Introduction to SAML

What is Authentication?

Authentication is the process of validating the identity of a user. This is to make sure that the user connecting to a system is authorized/allowed for the same. In the last couple of years, there has been a significant shift towards the federated authentication to centralize the authentication process by delegating the process of authentication to an identity provider. SAML is one of the ways to achieve this.

Why SAML?

SAML is the standardized format designed to be interoperable with any system. SAML is important to your organization as you move more towards relying on hosted services as it provides a single point of authentication at IDP. The credentials are not stored on multiple untrusted devices as SAML is used to assert the identity. Other benefit lies in the user experience as users do not have to remember multiple credentials to access their apps. They can access multiple applications with a single set of credentials by logging in once. It also reduces the overhead of maintaining hardware, software for authentication, adding auth mechanisms within applications.

SAML Terminology

Client A user who is trying to access a protected resource

All communication between the SP and IDP happen through the client’s browser.
Service Provider (SP) An entity that hosts the protected resource and requests authentication information from the Identity Provider before granting the client access to the resource
Identity Provider (IDP) A trusted entity which validates the identity of the client and provides authentication services to the SP
Assertion XML messages exchanged between IDP and SP
SAML Request A request the SP passes to the IDP to authenticate a client.
SAML Response An assertion the IDP passes to the SP containing information about the client.
Assertion Consumer Service (ACS) An HTTP resource within the SP that processes SAML protocol messages and returns a cookie representing the information extracted from the message. The IDP sends the SAML response assertion to the ACS.
Entity ID A unique string that should match in both the IDP and SP.
Metadata Configuration data used to provision an SP or IDP to communicate with each other. SAML 2.0 provides a well-defined, interoperable metadata format that entities can leverage to bootstrap the trust process.

SAML Processes

There are two types of SAML processes:

  1. IDP-initiated SSO — The client connects to the identity provider, gets authenticated, and then accesses the resources from the service provider.
  2. SP-Initiated SSO — The client connects to a service provider, which then redirects the client to the identity provider for authentication. Once successfully authenticated, the client is then redirected to the service provider. which allows access to the resource.

Note: Avi supports only SP-initiated SSO, with an Avi virtual service acting as the service provider.

SAML Bindings

The IDP and SP exchange a SAML request and a SAML response with each other through the client. The method to transport these messages is called a SAML binding. SAML supports multiple kinds of bindings.


An Avi VS acting as SP supports:

  • Redirect the binding to redirect the client to the IDP. The SAML request is carried directly in the URL query string of an HTTP GET request.
  • POST binding to send the response to the SP. The SAML response is transmitted within an HTML form using Base64-encoded content.

What is a SAML Assertion?

A SAML assertion is the XML document the IDP sends to the SP that contains the user information. There are three different types of statements in SAML assertions — authentication, attribute, and authorization.

  • Authentication — To prove the identity of the user.
  • Attribute assertion — SAML attributes are passed to SP as part of the assertion to provide information about the user.
  • Authorization assertion — Provides the SP information by which it can know the user is/isn’t authorized to use the service.

SAML Authentication for Clients with Avi VS as SP


Request Flow

  1. The user tries to access the resource which is hosted on Avi, i.e., Avi is acting as a service provider: GET https://sales.avi.com/.
  2. If the user is not authenticated already, Avi generates a SAML request and redirects the user to identity provider SSO service to get authenticated using a 302 Redirect.
  3. Client’s browser sends a GET request to the SSO service of the IDP.SAML request is carried directly in the URL query string of an HTTP GET request.
    Example:
    https://idp.example.com/app/avinetworks_samlapp_1/exkfop30u1uCi2FEv0h7/sso/saml?SAMLRequest=fZJfb4IwFMW%2FCum7UBRFGyVB0cxkf8gke9iL6aDMRmhrb8Ht26%2FgYtzDfD33nJz7u%2B0caF0pEjfmIF7ZqWFgnK%2B6EkD6wQI1WhBJgQMRtGZATE528dMjGbqYKC2NzGWFbiL3ExSAacOlQM42WaD9OIzH%2FjoI%2FHC9Ccc4CKbxJJ6Es1kwXo6SYYKcN6bB%2BhfIxm0IoGFbAYYKYyXszwZ4OMBh5k8JxmQUvCMnsQxcUNOnDsYoIJ5HWy6YOUt9BFceDVWatZyd3VzWHlXqdr7vMMpTIaw%2B2vse%2BzqWUo1w4zcrPtysW3wIPQDpdT7kbKTOWX%2B%2FBSppBazbMrWgvGVXJf291JKLgovP%2B0f6uJiAPGRZOkhfdhmK5l0Z6fF11EFZpk4yFtaltr0nATX3bo3zy%2Bs%2B24ptksqK59%2FdvjU1%2F2%2Fgu36v8GJQ9lbSCFAs5yVnBXLiqpLnlWbUXOm86NL69xtFPw%3D%3D

  4. IDP presents a form to the user to enter the credentials unless they had already authenticated into IDP in a previous session within the same browser. Once the credentials are validated, the user is authenticated on IDP level.
  5. In either case, the SSO service at IDP returns an XHTML document after the successful authentication, which includes the information needed by the SP in a SAMLResponse parameter. The SAML response will:
    • Indicate that it is indeed from the trusted IDP and hasn’t been altered.
    • Indicate that the user has authenticated successfully in IDP.
    • Indicate who the user is via the NameID, a standard attribute used in SAML assertions.
  6. The SAMLResponse parameter is passed on to the Avi ACS service from the client using a POST request.
  7. Avi validates the assertion and sets a cookie for the client
  8. The client sends a GET request to access the resource with the cookie that the SP provided.
  9. The client can now request the resource.

Note: Currently, NSX Advanced Load Balancer does not support URL parameters for SAML enabled virtual services in case of unauthenticated requests, where a redirect happens to IdP. For requests on already authenticated sessions the URL parameters work as expected.

Sample Metadata

In the below, <ds:X509Certificate> and </ds:X509Certificate> surround the IDP public key.


<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 entityID="https://app.onelogin.com/saml/metadata/48171389-531f-4d3f-b9e3-9d44abb23ee8">
    <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>
                 MIID6zCCAtOgAwIBAgIUJMCbFE2bd/6sCjz7gZr8AJXM6vswDQYJKoZIhvcNAQEF
			     BQAwSjEVMBMGA1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQLDAxPbmVMb2dpbiBJ
			     ZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTE4MDkyNDEyMjE0NVoX
			     DTIzMDkyNDEyMjE0NVowSjEVMBMGA1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQL
			     DAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjAN
			     BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApOIRYePmMm+LMxgvh4PQWxhBtwzf 
			     KPbFj2LUcVZQsNHDwZp7s1b+htv3DZ6OY7yJ1Judu6BcVGJMyTRlb3eZ++5YjRyX
			     Zmabg4RQf1lBYfcdqmrIG5fMKoM9OWqQ7aRJb/KYtj/YymK0/Im3dFB7ioGkvSP0
			     b2Q5sle0HJnnpFih0LQjX0x6HaGBYvlF5tyrdKtUVXM7fLevwW0h0bB2LOhzKbgq
			     paDn/yH0zGoGdHH3MA7C6s1Wdy2YqKxf6BVDNjzor0oOstdkkKT2IBpnqI56W5xJ
			     w4rms2H6umk4G3zqKI4IWKPzQ7tPqZpsI+9zeitELOiOuyLbTO//YxRlbQIDAQAB
			     o4HIMIHFMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP0c2czccqKP14DFa+NHeTni
			     3ewfMIGFBgNVHSMEfjB8gBT9HNnM3HKij9eAxWvjR3k54t3sH6FOpEwwSjEVMBMG
			     A1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNV
			     BAMMEU9uZUxvZ2luIEFjY291bnQgghQkwJsUTZt3/qwKPPuBmvwAlczq+zAOBgNV
			     HQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAKQQt1Goo3zeyAtjWkfxW9A8
			     o1ydzAqq7u779z9OsutbHsixy525Cs62Na/252CG39yk0Uy69ar+V9gBeBLaKNaz
			     w4JbaweFQgHlCVmT4lGEe1kmnsPwgP7nLq2SvkwTYqpcVq5KE+UfRpTixA/KJ61C
			     6yV03UCM7/T9NZ1pw/oYaweuxbtOn7rXT/NTiPIm7owA4soegDBEXIZ20KuMAkGc
			     dRAi5zoIqHsm7w/v/MT8DhTtZE2sH2mSegjUj8DOH5AcxdlNpp6VI2NApi+lTpEf
			     rqnQoDKs3BPp6SwcIvNqmSZ+R3eZkyGeJuCK4sxj2Od1plRpYihaRe32sNNjnwM=
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	  Location="https://avi-networks-test-dev.onelogin.com/trust/saml2/http-redirect/slo/869509"/>
      <NameIDFormat>
        urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      </NameIDFormat>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	  Location="https://avi-networks-test-dev.onelogin.com/trust/saml2/http-redirect/sso/869509"/>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	  Location="https://avi-networks-test-dev.onelogin.com/trust/saml2/http-post/sso/869509"/>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
	  Location="https://avi-networks-test-dev.onelogin.com/trust/saml2/soap/sso/869509"/>
   </IDPSSODescriptor>
</EntityDescriptor>john-doe

Sample SAML Request

The SP issues this to implicitly request an assertion containing an authentication statement.


<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_B28D3D30B4D077D88FA2C7BF64CC0F8B" 
    Version="2.0" 
    IssueInstant="2018-12-13T11:31:59Z" 
    Destination="https://avi-networks-test-dev.onelogin.com/trust/saml2/http-redirect/sso/860690"
    ForceAuthn="false" 
    IsPassive="false" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
    <saml:Issuer>avi-saml-vs</saml:Issuer>
    <samlp:NameIDPolicy 
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
        AllowCreate="false"/>
</samlp:AuthnRequest>

Sample SAML Response

Look for arrows <– accompanied by explanatory text in the below sample:


<samlp:Response 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    ID="R5e5c1b3cff12759e78f27c723a99963acf94fff5" 
    Version="2.0" 
    IssueInstant="2018-12-13T11:32:00Z" 
    Destination="http:/test-onelogin.auth.com/sso/acs/" 
    InResponseTo="_B28D3D30B4D077D88FA2C7BF64CC0F8B">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/4e4332e8-be0f-4650-9bac-2ea85fa16d12</saml:Issuer>
    samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion   <-- Beginning of SAML assertion. Within assertion there can be kinds of statements: authentication statement, authorization statement and attribute statement.
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
        xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        Version="2.0" 
        ID="pfx01cfd769-cd0d-f4dd-677c-f24b1ff887ef" 
        IssueInstant="2018-12-13T11:32:00Z">
        <saml:Issuer>https://app.onelogin.com/saml/metadata/4e4332e8-be0f-4650-9bac-2ea85fa16d12</saml:Issuer>  <-- The element which contains the identity provider's unique identifier
        <ds:Signature   <-- This shows that this is a signed assertion.
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference 
                    URI="#pfx01cfd769-cd0d-f4dd-677c-f24b1ff887ef">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>
                        3fAOHPB8meQtrDlQIRz5gRzUAJs=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            The below SignatureValue contains an integrity-preserving digital signature.
            ds:SignatureValue>aVpr6bjhsHW+SkkN5Fb0IMqZCBbfqucF12EhS+pO0ZrZM8qQ5LqOvNF9MY1WzO3tTscyYwsP3gScBaZzm0KHHIn/OyXj77nqT+BNBiDij7tyXfg4RvMYH6o7R36yRR8Bop9HeJ66fgRNkKA4j54sXF7BQXM+I7FFC5bT9GzXnEi47towME3kHAUlrggt+/GfA6z8Jot13a6xCmrnMaKDVOJbHqcO5LuK2zFd4VQYmpuB+0T6az19S/Hmyc89auI/dw/9uyOAC5on9b+3brKWzK1Qke54ZbQMU/
                N3BNE8fwBAYIki5j6lnw0Txzun8EsW8UosSlh1tXlSwRhA76Wwng==
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>                          <ds:X509Certificate>MIID6zCCAtOgAwIBAgIUJMCbFE2bd/6sCjz7gZr8AJXM6vswDQYJKoZIhvcNAQEFBQAwSjEVMBMGA1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTE4MDkyNDEyMjE0NVoXDTIzMDkyNDEyMjE0NVowSjEVMBMGA1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApOIRYePmMm+LMxgvh4PQWxhBtwzfKPbFj2LUcVZQsNHDwZp7s1b+htv3DZ6OY7yJ1Judu6BcVGJMyTRlb3eZ++5YjRyXZmabg4RQf1lBYfcdqmrIG5fMKoM9OWqQ7aRJb/KYtj/YymK0/Im3dFB7ioGkvSP0b2Q5sle0HJnnpFih0LQjX0x6HaGBYvlF5tyrdKtUVXM7fLevwW0h0bB2LOhzKbgqpaDn/yH0zGoGdHH3MA7C6s1Wdy2YqKxf6BVDNjzor0oOstdkkKT2IBpnqI56W5xJw4rms2H6umk4G3zqKI4IWKPzQ7tPqZpsI+9zeitELOiOuyLbTO//YxRlbQIDAQABo4HIMIHFMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP0c2czccqKP14DFa+NHeTni3ewfMIGFBgNVHSMEfjB8gBT9HNnM3HKij9eAxWvjR3k54t3sH6FOpEwwSjEVMBMGA1UECgwMQXZpIG5ldHdvcmtzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghQkwJsUTZt3/qwKPPuBmvwAlczq+zAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAKQQt1Goo3zeyAtjWkfxW9A8o1ydzAqq7u779z9OsutbHsixy525Cs62Na/252CG39yk0Uy69ar+V9gBeBLaKNazw4JbaweFQgHlCVmT4lGEe1kmnsPwgP7nLq2SvkwTYqpcVq5KE+UfRpTixA/KJ61C6yV03UCM7/T9NZ1pw/oYaweuxbtOn7rXT/NTiPIm7owA4soegDBEXIZ20KuMAkGcdRAi5zoIqHsm7w/v/MT8DhTtZE2sH2mSegjUj8DOH5AcxdlNpp6VI2NApi+lTpEfrqnQoDKs3BPp6SwcIvNqmSZ+
                        R3eZkyGeJuCK4sxj2Od1plRpYihaRe32sNNjnwM=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID  <-- A standard attribute used in SAML assertions
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mittali@avinetworks.com
            </saml:NameID>
            <saml:SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData 
                    NotOnOrAfter="2018-12-13T11:35:00Z" 
                    Recipient="http:/test-onelogin.auth.com/sso/acs/" 
                    InResponseTo="_B28D3D30B4D077D88FA2C7BF64CC0F8B"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions 
            NotBefore="2018-12-13T11:29:00Z" 
            NotOnOrAfter="2018-12-13T11:35:00Z">
            <saml:AudienceRestriction>
                <saml:Audience>jenkins-saml-vs</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement  <-- marks the beginning of authentication statement, which says the principal identified in the <saml:Subject> element was authenticated at "2018-12-13T11:31:59Z" by means of a password sent over a protected channel.
            AuthnInstant="2018-12-13T11:31:59Z" 
            SessionNotOnOrAfter="2018-12-14T11:32:00Z" 
            SessionIndex="_a16c6df0-e0f8-0136-f6b8-5b63382161ef">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>     <-- End of authentication statement
        <saml:AttributeStatement>  <-- Beginning of attribute statement
            <saml:Attribute 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                Name="User.email">
                <saml:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">mittali@avinetworks.com
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                Name="User.FirstName">
                <saml:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Mittali
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                Name="PersonImmutableID">
                <saml:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string"/>
            </saml:Attribute>
            <saml:Attribute 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                Name="User.LastName">
                <saml:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Chawla
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                Name="memberOf">
                <saml:AttributeValue 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string"/>
            </saml:Attribute>
        </saml:AttributeStatement>   <-- End of attribute statement
    </saml:Assertion>                <-- End of assertion
</samlp:Response>                    <-- End of SAML response