Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSO: How to synchronize user accounts between service provider and Identity Provider?

Tags:

In a SSO environment, though the user accounts are maintained at IdP, some Service Providers do maintain a database having active user accounts. Now if a user is deactivated at IdP, what is the best way to pass that information to the respective SPs who still have that user as an active user in their database?

After going through SAML-profiles documentation, I found Name Identifier Management Profile where an IdP may inform an SP regarding the termination of a particular identifier/user.

Is this the right profile which the SP and IDP should be implementing (is it easy to implement this?) or is there any other simple way to achieve this? Any suggestions are highly appreciated.

Thanks,

Abhilash

like image 716
abhilash Avatar asked May 09 '14 14:05

abhilash


People also ask

How does SSO work with IdP?

The user tries to sign in with his Identity Provider credentials. Once IDP authentication gets successful, Identity Provider (IDP) sends back the Single Sign-On response to the Service Provider. Getting On the SSO Response, the user is granted the access to log in and access the resource or application.

What is the difference between service provider and identity provider?

A service provider is a federation partner that provides services to the user. The Identity Provider authenticates the user and provides an authentication token (that is, information that verifies the authenticity of the user) to the service provider.

What is the difference between IdP and SP initiated SSO?

SP-initiated SSO could be initiated by a login button within the service provider or when the user tries to access a protected area. IdP-initiated SSO involves an authenticated user clicking a button in the Identity Provider (IdP) and being redirected to the service provider along with a SAML response and assertion.

What is the difference between SSO and IdP?

In addition to being more convenient for users, implementing SSO often makes user logins more secure. For the most part, SSOs and IdPs are separate. An SSO service uses an IdP to check user identity, but it does not actually store user identity.


2 Answers

In most cases users are created in local databases on SP side the moment user logs in through the IDP for the first time. And as user always has to authenticate through IDP in order to access SP, it is safe (from security point of view) to keep users which were de-activated at IDP as active on SP-side (as they won't be able to login to SP anyway).

One approach to keep the SP database clean is to automatically remove or de-activate users which haven't logged-in for certain amount of time. The user will then be re-created or re-activated the moment he gets re-enabled on IDP and tries to access the SP again.

Another approach is to create a custom synchronization process between IDP and SP (e.g. make a CSV dump from IDP and periodically import to SP).

The Name Identifier Management Profile with "Terminate" request could be used for this purpose, with synchronous binding it's just a web service SOAP call from IDP to SP. But most SP implementations don't support this profile, and most (if not all) IDPs would require some amount of customization to make the call at the right time.

like image 54
Vladimír Schäfer Avatar answered Oct 06 '22 06:10

Vladimír Schäfer


SAML isn't really the right approach for this. I would recommend taking a look at the standard called SCIM (System for Cross-domain Identity Management) which is designed to handle exactly this type of user identity provisioning use-case via a RESTful API. Here are a few resources to check out -

  • http://www.simplecloud.info/
  • https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
  • https://www.rfc-editor.org/rfc/rfc7644

HTH - Ian

like image 45
Ian Avatar answered Oct 06 '22 04:10

Ian