Tech With Htunn
  • Blog Content
  • DevSecOps
    • understanding devsecops
    • shift left in devsecops
    • what is the different between SAST and DAST in devsecops?
    • what is software composition analysis (SCA)?
    • what is Software Bill of Materials (SBOM)?
    • dependency scanning in devsecops
    • what is continuous integration in devops?
    • what is continuous delivery and deployment in devops?
    • understanding containerization
    • container scanning in devsecops
  • Data Engineering
    • what is data engineering?
    • Medallion Architecture in Data Engineering
    • understanding DataOps?
    • Difference between ETL and ELT pipeline in Data Engineering
  • IAM
    • what is Identity and Access Management?
    • understanding microsoft graph api
    • what is SCIM in IAM?
    • Different between sp and idp initiated flow in saml?
    • what is the difference between OAuth-2.0 and OIDC?
    • Understanding PKCE in OAuth-2.0?
    • what is SCIM Streaming?
    • what is the meaning of Identity broker?
  • Cloud Architect
    • what is cloud archiect?
    • Understanding even-driven architecture?
    • what is cloud native architecture?
    • what is cloud native application?
    • Understanding web application firewall?
  • SRE
    • what is SRE?
    • Meaning of toil in SRE?
    • what is error budget in SRE?
    • Difference between SLA, SLO and SLI in SRE
    • Understanding MTTR in SRE?
Powered by GitBook
On this page
  1. IAM

Different between sp and idp initiated flow in saml?

Let’s break down the differences between SP-initiated and IdP-initiated SAML flows, and then I’ll provide an example with Keycloak as the IdP and a Node.js app as the Service Provider (SP).

SP-Initiated SAML Flow

In an SP-initiated flow, the user starts at the Service Provider (SP). Here’s how it works:

  1. User Accesses SP: The user tries to access a resource on the SP (e.g., your Node.js app).

  2. SP Redirects to IdP: The SP generates a SAML authentication request and redirects the user to the Identity Provider (IdP) (Keycloak).

  3. User Authenticates: The user logs in at the IdP.

  4. IdP Sends SAML Response: Upon successful authentication, the IdP generates a SAML response containing the user’s identity information and redirects the user back to the SP.

  5. SP Grants Access: The SP processes the SAML response, verifies the user’s identity, and grants access to the requested resource.

IdP-Initiated SAML Flow

In an IdP-initiated flow, the user starts at the Identity Provider (IdP). Here’s how it works:

  1. User Logs into IdP: The user logs into the IdP (Keycloak) directly.

  2. User Selects SP: From the IdP’s dashboard, the user selects the SP (e.g., your Node.js app).

  3. IdP Sends SAML Response: The IdP generates a SAML response and redirects the user to the SP.

  4. SP Grants Access: The SP processes the SAML response, verifies the user’s identity, and grants access to the requested resource.

Example with Keycloak and Node.js

SP-Initiated Flow Sequence Diagram

Below is a sequence diagram for an SP-initiated SAML flow using Keycloak as the IdP and a Node.js app as the SP:

In this flow:

  1. The user tries to access a resource on the Node.js app.

  2. The Node.js app redirects the user to Keycloak with a SAML request.

  3. Keycloak presents an authentication page to the user.

  4. The user submits their credentials to Keycloak.

  5. Keycloak sends a SAML response back to the user.

  6. The user’s browser forwards the SAML response to the Node.js app.

  7. The Node.js app processes the SAML response and grants access to the user.

Let’s dive deeper into the implementation details for an SP-initiated SAML flow with a Node.js app as the Service Provider (SP) and Keycloak as the Identity Provider (IdP).

Setting Up Keycloak

  1. Install Keycloak: Download and install Keycloak from the official website.

  2. Create a Realm: In the Keycloak admin console, create a new realm.

  3. Create a Client: Within the realm, create a new client for your Node.js app. Set the client protocol to saml.

  4. Configure Client: Set the client settings, including:

    • Client ID: A unique identifier for your Node.js app.

    • Client Protocol: saml.

    • Root URL: The base URL of your Node.js app.

    • Valid Redirect URIs: The URL(s) to which Keycloak can redirect after authentication.

    • IDP Initiated SSO URL Name: A unique identifier for IdP-initiated login.

Setting Up Node.js App

  1. Install Dependencies: Use npm to install necessary packages like passport-saml and express.

    npm install express passport passport-saml body-parser

  2. Configure Passport: Set up Passport with the SAML strategy.

    JavaScript

    const express = require('express');
const passport = require('passport');
const SamlStrategy = require('passport-saml').Strategy;
const bodyParser = require('body-parser');

const app = express();

passport.use(new SamlStrategy(
  {
    path: '/login/callback',
    entryPoint: 'https://<keycloak-server>/auth/realms/<realm>/protocol/saml',
    issuer: '<client-id>',
    cert: '<keycloak-certificate>'
  },
  function(profile, done) {
    return done(null, profile);
  }
));

passport.serializeUser((user, done) => {
  done(null, user);
});

passport.deserializeUser((user, done) => {
  done(null, user);
});

app.use(bodyParser.urlencoded({ extended: false }));
app.use(passport.initialize());
app.use(passport.session());

app.get('/login',
  passport.authenticate('saml', {
    successRedirect: '/',
    failureRedirect: '/login'
  })
);

app.post('/login/callback',
  passport.authenticate('saml', {
    failureRedirect: '/login',
    failureFlash: true
  }),
  (req, res) => {
    res.redirect('/');
  }
);

app.get('/', (req, res) => {
  res.send('Hello, ' + req.user.nameID);
});

app.listen(3000, () => {
  console.log('Server started on http://localhost:3000');
});

  3. Configure Metadata: Ensure your Node.js app’s SAML metadata is correctly configured in Keycloak. You can usually download the metadata XML from your Node.js app and upload it to Keycloak.

Sequence Diagram for SP-Initiated SAML Flow

Here’s the sequence diagram again for reference:

Detailed Flow Steps

  1. User Accesses Resource: The user tries to access a protected resource on the Node.js app.

  2. SP Redirects to IdP: The Node.js app (SP) redirects the user to Keycloak (IdP) with a SAML authentication request.

  3. User Authenticates: Keycloak presents a login page to the user. The user enters their credentials.

  4. IdP Sends SAML Response: Upon successful authentication, Keycloak generates a SAML response and redirects the user back to the Node.js app.

  5. SP Processes SAML Response: The Node.js app processes the SAML response, verifies the user’s identity, and establishes a session.

  6. User Accesses Resource: The user is granted access to the requested resource.

This setup ensures that your Node.js app can securely authenticate users via Keycloak using SAML.

Previouswhat is SCIM in IAM?Nextwhat is the difference between OAuth-2.0 and OIDC?

Last updated 4 months ago