I have seen some of the people you are using SSO mechanism (SAML2 SSO, OpenId , OpenID Connect) have raised this in several places. Answer is “Yes“.. it can be done. Simple way is that, Service provider can promote a login page for the end users (or else Service provider can retrieve end user’s credentials some other way) and then credentials can be sent to the IDP with the login request.
But when it comes to the end user experience, I think, we are trying to cheat the end user. We just promote the login page in Service Provider and ask to provide the credentials. Then user thinks that credentials are given to SP but it is not, they have been given to the IDP.
However, Lets how this can be achieve with WSO2IS which is open source Identity management Server.
Request Path Authenticators in WSO2IS
In WSO2IS, Request Path Authenticators are a type of local authenticators that are meant to authenticate requests that contain the user’s credentials. By default, this will be handled in following two ways.
- User Credentials in “sectoken” parameter
- User Credentials in Authorization Header
Service provider can send the end user credentials in above two way in the login request. User credentials separated by a colon (:) and encoded with Base64 using one of the above methods.
Please note, When sending the user credentials from the client application to the WSO2 Identity Server,it is recommended to use;
- SSL
- POST the parameters instead of GET. This is because when the parameters are sent in GET requests, the URL will contain the encoded credentials which can be printed in the access logs files of the Identity Server or some other proxy servers.
Try-out
Let try the request path authenticator with SAML2 SSO flow. You can find the more details on configuring Identity Server as SAML2 SSO IDP from here, I assume that we have already go through it. Then,
Step 1. In the Local & Outbound Authentication configuration, add the Request Path Authentication configuration as basic-auth.
Step 2. We need to modify the sample SSO application to send the end user’s credentials. In the sample application, once user credentials are entered, they must be sent to Identity Server in either of the following ways.
1. In the Authorization header
Authorization: Basic <base64_encode(username:password)>
Important Note : This may not work properly with SAML2 SSO as it is a browser redirection. HTTP header can not be sent
2. In the sectoken parameter
sectoken=<base64_encode(username:password)>
As mentioned above, SP need send the SAML2 Auth request using SAML2 SSO POST binding , NOT redirect binding. You can find the modified war file for the updated sample application from here. This sample uses the sectoken parameter
Once you enter the credentials in to the sample application , you will not see the IDP login page..
Thanks for reading…!!!