2

I'm working on a research about some new usage of SSO. Basically I'm trying to find way how to intercept SAML Request which is sent from Service Provider to Identity Provider with some kind of IdP proxy or 3rd party service, which will hold the SAML Request and will provide some additional functionality to users. The desired process could look like this:

  1. User invokes SAML request from SP - click Login button for example
  2. User is redirected to the 3rd party service, where is, for example, small survey(this is theoretical example)
  3. After submitting the survey, user is redirected to the IdP and should continue with login

I have quite good experience with SimpleSAMLphp and configuring federation. But I my attempts to find some useful information about this kind of interception have failed. I add a super basic picture of the solution.(please don't laugh:) )

Does SAML support any kind of this processing? I'm open for discussion. I was also thinking to intercept the SAML after user signs in on IdP(to have redirection from IdP to 3rd part service proxy and then to SP)

Thank you for advices and your thoughts; hopefully, it's not totally stupid question

enter image description here

EDIT: During my research I came across technology/approach which is called IDP Proxy. Do you think that is feasible for my purpose? Basically, a SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs. More about it for example here

Tom Hert
  • 947
  • 2
  • 10
  • 32

1 Answers1

3

I don't think this is possible, it's simply beyond the protocol. The SP provides a service, the IdP is responsible for user authentication. There seems to be no place for a 3rd party service between the two.

I guess you control (at least) either the SP or the IdP. Try to implement your survey (or whatever) at the provider you control.

As an alternative, you could try to implement your own IdP including a survey (or whatever) that uses the original IdP for authentication.

Mario Lenz
  • 634
  • 3
  • 8
  • Yeah, but the problem, or let's say idea, is that I don't neither control the SP or IdP. I know that I can improve the IdP or SP. But this is not the case I'm asking about. But thank you for your answer, I appreciate that – Tom Hert Sep 25 '13 at 20:30
  • I'm not an expert on the topic, although I've spent some time troubleshooting SAML (vCenter SSO). But I think whatever you want to do is not possible. Afaik SAML doesn't support 3rd party services between SP and IdP adding additional functionality. – Mario Lenz Sep 25 '13 at 20:46
  • I was afraid of this situation. I know that SimpleSAMLphp implements something called Authentication Processing Filters where you can basically do some additional action either on SP or IDP after user is authenticated. But it's different approach than I wanted to implement. – Tom Hert Sep 25 '13 at 20:48
  • BTW I don't want to manipulate the SAML Request/Response. I want to take the Request/Response and hold it until user will, for example, finish the survey. – Tom Hert Sep 25 '13 at 21:06
  • You wouldn't be able to manipulate the SAML response, anyway. It's signed. Changing the response would render the response invalid. If you don't control the SP or the IdP, I don't see how you could achieve your goal without any "MITM attack". – Mario Lenz Sep 25 '13 at 21:37
  • I continue in my research. What about IDP Proxy? https://groups.google.com/forum/#!searchin/simplesamlphp/proxy/simplesamlphp/VEhm_A_tcnE/ZJtyENfRI4IJ – Tom Hert Sep 26 '13 at 00:25
  • That's what I meant with "MITM attack". You could make the SP use the IdP proxy as its IdP. The proxy would use the original IdP as its authentication backend. You should be able to implement additional functionality like surveys in the proxy. However, from the point of view of SP and IdP there's no 3rd party. For the SP, there's just the IdP (the proxy). For the IdP, there's just the SP (the proxy). – Mario Lenz Sep 26 '13 at 18:29
  • I see:) So I didn't get the "MITM attack":) I thought that you're referring to real man-in-the-middle attack. But thank you for all your help here. I appreciate that. I will mark you as correct:) – Tom Hert Sep 26 '13 at 18:51