0

I want to just check if user is exist or not in Active Directory or LDAP connected to SAML Identity provider without performing full SSO through the browser. does SAML IDP provide any API for user lookup without actually performing SSO?

MukulChakane
  • 73
  • 2
  • 8
  • (In general!) For login-purposes checking whether a user exists is a security hole, as an outsider thus might easily check whether its competitor also is client and such. But in your case you are inside, on a server. You probably need to do your own LDAP access, and that LDAP must be accessible. LDAP is easy, and there are tools, JXplorer. – Joop Eggen Jul 09 '20 at 14:15
  • Yes, accessing LDAP and checking is fine, but we want to do it for IdP, because the user may not expose AD, LDAP behind the IdP. – MukulChakane Jul 09 '20 at 17:27

3 Answers3

0

Is this what you are looking for? SAML Token Validator. After you validated your token you could just use your userService.findUserByXXX() methode to check if the given user in the SAML token exists.

Mafick
  • 1,128
  • 1
  • 12
  • 27
  • No, I want to verify only if user is still there in authentication directory, To validate and expect the correct Token we may need to perform authentication every time after the token is expired, isn't it? – MukulChakane Jul 08 '20 at 14:49
0

Actually there is no way to solve this with SAML. Authentication, which happens at the IdP, is actually out of scope of the SAML specification. In fact, the IdP need not perform the authentication itself, but could delegate it to some authentication authority.

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7
0

If you're working with a singular identity provider, you could do this using SAML as a conveyance tool that simply validates whether or not the user exists. There's nothing saying how partners decide to implement the standard between themselves. The IdP doesn't have to actually make the user login, and the SP can use the data as they see fit within the accordance of the partnership. Let the lawyers sort that one out.

From a process perspective, I could see it working something like this...

As the service provider, you collect the account information from the user you wish to validate. You send an AuthnRequest with the identity your application captured as the subject to the IdP.

The IdP simply validates whether or not the account is in its repository as the "authentication process". (Wink wink) If the account exists, the IdP sends a SamlResponse of the subject and status "success" back to the SP. If it doesn't, the the subject and status "error" is sent back.

As the SP, you now know if the user exists (well, at least you know what the IdP claims), and you can do whatever it is you want to do with the information.

Heck, you could even bury Sorry? What? Right, you could embed the redirect process in an iFrame, and show the user a lovely spinner, a funny cat gif... Or maybe just do a bar meter that says what it's doing, because you should be honest with your prospective user.

You know, while we're getting all wild and crazy, you might actually be better off just using a secure token service, WS-Trust. But you didn't ask about that. So just go research that, and then compare it to my suggestion and your use case and see what's the best choice for your requirements.

Sally forth and wrap a delightful new UX around a delightful workhorse of an identity protocol that leaves what happens with the implementation to all of us builders.

Andrew K.
  • 3,240
  • 12
  • 23
  • Thanks, >> You know, while we're getting all wild and crazy, you might actually be better off just using a secure token service, WS-Trust. Do you want talk more about WS-Trust ? The criteria in my case is i dont wan to perform redirection to Idp through browser, it just has to be REST API call. – MukulChakane Jul 09 '20 at 04:17
  • @MukulChakane, you can do SAML "redirectless", by embedding all of the redirects in an iFrame. However, WS-Trust is intended to be a service to service transaction, where the SP asks the IdP directly for a set of claims. Either mechanism will work for you. Not much more to say but for you to go find out if WS-Trust is even an option. – Andrew K. Jul 09 '20 at 11:51
  • I should also add that WS-Trust is SOAP, not REST, but it's "closer" to your desire. If you want straight REST... Your "identity provider" will have to have the REST API. SAML doesn't provide that, nor does WS-Trust, nor does any other "identity standard" that I am aware of. It really boils down to whether or not the IdP has somehow REST-enabled their identity store. – Andrew K. Jul 09 '20 at 14:12
  • Ok, Thanks. That's helpful. So i have to ask Identity provider for REST API. – MukulChakane Jul 09 '20 at 17:29