In a SSO environment, though the user accounts are maintained at IdP, some Service Providers do maintain a database having active user accounts. Now if a user is deactivated at IdP, what is the best way to pass that information to the respective SPs who still have that user as an active user in their database?
After going through SAML-profiles documentation, I found Name Identifier Management Profile where an IdP may inform an SP regarding the termination of a particular identifier/user.
Is this the right profile which the SP and IDP should be implementing (is it easy to implement this?) or is there any other simple way to achieve this? Any suggestions are highly appreciated.
Thanks,
Abhilash
The user tries to sign in with his Identity Provider credentials. Once IDP authentication gets successful, Identity Provider (IDP) sends back the Single Sign-On response to the Service Provider. Getting On the SSO Response, the user is granted the access to log in and access the resource or application.
A service provider is a federation partner that provides services to the user. The Identity Provider authenticates the user and provides an authentication token (that is, information that verifies the authenticity of the user) to the service provider.
SP-initiated SSO could be initiated by a login button within the service provider or when the user tries to access a protected area. IdP-initiated SSO involves an authenticated user clicking a button in the Identity Provider (IdP) and being redirected to the service provider along with a SAML response and assertion.
In addition to being more convenient for users, implementing SSO often makes user logins more secure. For the most part, SSOs and IdPs are separate. An SSO service uses an IdP to check user identity, but it does not actually store user identity.
In most cases users are created in local databases on SP side the moment user logs in through the IDP for the first time. And as user always has to authenticate through IDP in order to access SP, it is safe (from security point of view) to keep users which were de-activated at IDP as active on SP-side (as they won't be able to login to SP anyway).
One approach to keep the SP database clean is to automatically remove or de-activate users which haven't logged-in for certain amount of time. The user will then be re-created or re-activated the moment he gets re-enabled on IDP and tries to access the SP again.
Another approach is to create a custom synchronization process between IDP and SP (e.g. make a CSV dump from IDP and periodically import to SP).
The Name Identifier Management Profile with "Terminate" request could be used for this purpose, with synchronous binding it's just a web service SOAP call from IDP to SP. But most SP implementations don't support this profile, and most (if not all) IDPs would require some amount of customization to make the call at the right time.
SAML isn't really the right approach for this. I would recommend taking a look at the standard called SCIM (System for Cross-domain Identity Management) which is designed to handle exactly this type of user identity provisioning use-case via a RESTful API. Here are a few resources to check out -
HTH - Ian
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With