- The following illustrates the processing by AuthHub when sso is triggered by SAML application:
* IDP initiated URL with SSP session cookie in the browser:
https://<SSP_HOST>/default/saml/v1/idp/login?entityId=<Entity_ID>
* IDP login - After basic validations on the request data, redirects to default signin UI or the custom flowurl configured in the application even though a valid session cookie exists.
The default signin ui calls /auth/v1/authenticate. This is required to evaluate whether the current session (from cookie) is enough or any extra authentication is required
(A different set of obligations could be configured for the SAML App apart from the the existing session AMR).
For instance, if the initial session is created with only PWD AMR and the SAML app is also configured only for PWD obligation, then the /auth/v1/authenticate call returns the below response:
{
"flowState": "<<fs>>",
"userName": "nbruce",
"nextaction": "AUTH_ALLOWED",
"data": {
"status": "OK",
"message": "Reauthentication is not requried as no new factor found "
},
"authCompleteUrl": "https://<SSP_HOST>/default/oauth2/v1/authcomplete?x-flow-state=TTF5eTJwTHNLQ3RUblJWN1UxWUdDTDI1RGdDdzZicnlNdUxBUDBzREpXVDQwem9HMHZKMThvWUZSZVRySmhGWEt4TUlqWU00VGszbVZONVFxZC9EYVVmSTVyRGtSSFpITDkwbXB1Tkc0ZFhldE9vbGxhY043bTJjRG8zeVRvb3BLVHJVQUxuQXNFUDY1SEdHQy9sVFJVK0hwU0N5ZVhSdHgxRVdOTW8wbGlrMlUwSTFzVUlYem8reDR5MFcyWVJmaFdqcXdXajZXVHJUaUZzZUN5MkV5Zz09&X-CLIENT-TRANSACTION-ID=dfacf1c9-cef9-47fa-a1d5-4aebb980d306",
"additional": {
"userName": "nbruce",
"idpName": "internal",
"idpGuid": "internal",
"idpType": "internal",
"passwordResetURL": "",
"authLevelsData": {},
"currentFactorLevel": 1,
"amrForCompletedFactors":
[
"PWD"
],
"signinExpMins": 60
}
}
* And the out of the box signin ui reads "authCompleteURL" as the nextaction is "AUTH_ALLOWED" and redirects to the value of authCompleteURL attribute in the response which is "/oauth2/v1/authcomplete".
/oauth2/v1/authcomplete (with query parameters) -> Generates the SAML Assertion and post to SAML Assertion consumer URL configured in the SAML App.
- Now if a custom signin UI is to be used, you will need to ensure the following is satisfied:
1. The SAML app should be created with the custom flowurl which will redirect to the Custom Login page
2. The custom signin UI must perform the authenticate (begin flow) without the subject in the body as follows
{
"action": "authenticate",
"ipAddress": "1.1.1.2",
"channel": "web",
"acrValues": []
}
When the sspsession cookie is submitted with this call, the response would have "nextaction": "AUTH_ALLOWED" after the validation of the session is successfully completed.
3. The custom signin UI should be enhanced to consider "authCompleteURL" when the nextaction is "AUTH_ALLOWED" and redirects to the value of authCompleteURL attribute in the response.