Symantec Access Management

  • Private Community
 View Only
Back to Library

SAML Assertion plugin – Moving CA SSO protected applications to the Cloud 

Oct 27, 2017 11:30 AM

SAML Assertion plugin – Moving CA SSO protected applications to the Cloud

 

Summary

 

The specific issue for the customer occurs when he tried to move some applications, historically managed on premise, on the cloud.

The applications were managed inside a portal, protected by CA SSO, and the authorization process is mainly managed by header variables provided by CA SSO. The header variable are retrieved by CA SSO from a dedicate Authorization user store, which does not contain credentials but just the user properties containing roles and groups.

CA SSO retrieves this information using the Identity Mapping feature.

The easiest approach used by the developers for moving the applications on the cloud, was:

  • The authentication is executed on premise using CA SSO as IdP
  • The applications are stored in cloud as SP
  • The SAML token used for authentication should contain, as attributes, the same parameters passed in the past as header variables
  • The applications get the attributes from SAML and manage the authorization process

 

For the developers’ point of view, the flow is correct but CA SSO does not support Identity mapping in the IdP authentication side.

Logically the CA SSO approach is correct, the IdP has the duty of authenticating the users and NOT getting the authorization attributes.

 

Possible solutions

 

We analyzed different solution for managing this issue:

  • Virtual directory - Implementing a virtual directory able to reproduce the Identity mapping feature and acting as a unique LDAP server, solve the problem defining a unique authentication (and authorization) user store
  • Session store – Another option is to store the authorization attributes in the session store, using a preceding authorization process. Unfortunately, it requires a store which should be accessible by all the Policy Server and continuously in synch.
  • SAML Assertion plugin – develop an assertion plugin class able to add the SAML attributes and retrieving these attributes from other stores.

 

The last approach was accepted and to provide a more standard interface the authorization attributes should be retrieved calling an external service (using REST/JSON interface) in our case published on the CA API Gateway.

(get the source and the binaries from: https://github-isl-01.ca.com/masfr02/addSAMLProperties )

Statistics
0 Favorited
0 Views
1 Files
0 Shares
6 Downloads
Attachment(s)
docx file
SAML Assertion plugin-en.docx   266 KB   1 version
Uploaded - May 29, 2019
 
Download

Tags and Keywords

Comments

Legacy User
Dec 22, 2017 05:26 AM

Joseph,

you are right. I already warned the customer about these points.

After the initial successful test, we planned to code a new version using connection pool and adding other features.

But now customer is not using yet the adapter in production, waiting for some specific SAML use cases.

So the new version development was delayed and we have not any ETA.

Thanks

Franco 

Legacy User
Dec 20, 2017 09:39 AM

This is a great start.

There is some concerns:

  • The connection between the Policy Server and the Web Service is not capable of SSL
  • The connection between the Policy Server and the Web Service requires no credentials
  • The connection between the Policy Server and the Web Service has no timeout. If there is a network issue or the web service is down, Policy Server threads will be tied up forever; thus bring down the Policy Server.
  • How did these Attributes get added to the Web Service, I saw no code to populate these values
  • What if I have a user that needs attributes A, B and D when accessing resource-1; but needs attributes A, C, and E when accessing resource-2.
  • Performance:
    • Recreating an XML Parser every invocation is a time consuming
    • Rereading the properties file every invocation is a time consuming
  • It does not handle Namespaces intelligently, assuming ns2 as a namespace prefix can cause issues
  • It does not support SAML 1.1
  • It does not allow for different attribute types
  • It does not allow for attributes with multi value elements 

CA recommends that this sample code not be used in production until some of the more glaring issues are addressed (above issues highlighted in bold).

Related Entries and Links

No Related Resource entered.