The OAuth2 SAML bearer spec describes how an application can present an assertion to a token endpoint as an authorization grant. For example, Salesforce's API allows this approach to enable apps to autonomously request access tokens for a user account (as long as the user has already given permission for this, out-of-band).
I'm having trouble making sense of what the assertion means, though. Most of it is clear enough, e.g.
Issuer
is the party that generated (and signed) the assertionSubject
is the user for whose account an access token is being requestedAudienceRestriction
limits the audience to the token endpoint.But I'm having trouble understanding the meaning of:
AuthnStatement
-- My understanding from the SAML spec is that the issuer of this assertion is making the statement that it (the issuer) has authenticated the subject. Is this right?
SubjectConfirmation
-- who is confirming what here? The SAML spec helpfully states that this element "Information that allows the subject to be confirmed". But what is confirmation? And who performs it, and how, and when, and for what purpose?
SAML Assertions or “SAML tokens” contain the user identification information (which can be trusted because it is signed), while with OAuth the Resource Server needs to make additional round trip in order to authenticate the Client with the Authorisation Server. What if you can’t choose between SAML authentication and OAuth?
What is an OAuth 2.0 Grant Type? In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. OAuth 2.0 defines several grant types, including the authorization code flow. OAuth 2.0 extensions can also define new grant types.
In this scenario, the SAML Assertion can be used as an OAuth Bearer Token to access the protected resource. In addition, if the lack of authorisation is the only thing holding back on your OAuth implementation, be sure to check out OpenID and OpenID Connect , open standards that builds upon OAuth in order to provide just that.
- Auth0 What is OAuth 2.0? OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
AuthnStatement
element describes the act of authentication at the identity provider.
If the Assertion issuer authenticated the subject, the Assertion SHOULD contain a single representing that authentication event.
Example:
<AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z">
<AuthnContext>
<AuthnContextClassRef>
<!--Authentication method, was the client authenticated with digital cert, password, kerberos token?-->
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
<!--For example, the Password class is applicable when a principal authenticates to an authentication authority through the presentation of a password over an unprotected HTTP session. -->
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
SubjectConfirmation
element allows the authorization server to confirm it as a Bearer Assertion. Such element MUST have a Method attribute with a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer".
The SubjectConfirmation element MUST contain a SubjectConfirmationData element (With exceptions) indicating the token endpoint URL of the authorization server. The authorization server MUST verify that the value of the Recipient attribute matches the token endpoint URL to which the Assertion was delivered.
Example:
<saml:SubjectConfirmation
<!-- Mandatory -->
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
<!-- The AuthRequest sent this ID -->
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
<!-- It was through HTTP POST token endpoint URL -->
Recipient="https://sp.example.com/SAML2/SSO/POST"
<!-- Not valid ON or After this Date and Time -->
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With