We want to implement SAML2 in Ory/kratos

[ThibHrrd]

Hello everyone! With my team, we want to implement SAML2 on Ory Kratos.

Our idea :

Our idea would be to implement the SAML2 protocol in Kratos. We would like Kratos to act as a Service Provider that could be connected to an external IDP.

Our solution :

This library looks very interesting : https://github.com/crewjam/saml

In our case, we would have to transform Kratos into a SP by adding all the necessary endpoints and associated handlers :

• POST AssertionConsumerService: Receives SAML assertion, processes them, and check signature.
• GET Metadata : Return the SP's metadata

The crewjam SAML library in Go will handle these routes.

In this library, routes that needs to be protected call RequireAccount. A request seems to be sent to the IDP every time you want to access a protected page

Is it actually needed ? As long as a session is active and valid with the SP, it is not necessarily needed to check every time the session with the IdP as well (IdP is an Identity Provider, access limitation is left to the SP).

• It could be needed if you want high security : when a session with the IdP is not valid anymore (eg. account disabled), we can ensure that the session on SP will not allow access by checking the session with the IdP as well. This problem is explained in this stack-overflow question

Basically, both options are valid

• Option 1 is less secure (but still acceptable), but more performant
• Option 2 is more secure (instant access revocation), but is less performant (checking the session with the IdP every time)

As this is to be implemented in an open source project, the ideal would be to give both options to users.

With Kratos, the protection is ensured by the /session/whoami route. The handler for this route in Kratos is here. The objective would be to standardize these two methods.

Bindings :

IdP commonly support 2 ways of exchanging data :

• HTTP-REDIRECT binding : data is sent to the IdP in the URL
• HTTP-POST binding : data is sent as form data

It should be possible in kratos to configure which way to use to talk with an IdP.

Possible parameters

• Degree of security of IdP session (check everytime or not)
• Which binding to use with the IdP
• Routes to IdP SAML

Conclusion :

This is where we are in our research at the moment. This is just a start but we would like your opinion!

Thanks

[aeneasr]

Does SP mean "SAML Provider"? So do you want Ory Kratos to be a SAML provider or a consumer? :) From the post it sounds like a SAML provider?

[ThibHrrd]

Yep, as SP, Kratos must send some AuthnRequest to the IDP to request authentication.

[aeneasr]

Ok, so it is consuming SAML, not providing SAML. I think I'm getting closer. So basically like the current social sign in but using SAML?

[ThibHrrd]

I've never heard of this notion of consuming/providing sorry :/
But basically, the SAML module will need to be able to create SAML requests to send to the IDP to request authentication. But it will also have to be able to receive and process the SAML Assertion sent by the IDP (in response to the AuthnRequest).

[aeneasr]

Ok, that makes sense! I wanted to understand this because it could have been possible that you meant that Ory Kratos becomes the SAML IDP. But I think that would be out of scope of Ory Kratos, so I wanted to make sure :)

This sounds like a good idea! I think we need to get it into a design document format and then this can be implemented!

[ThibHrrd]

Yes indeed, we had also thought of using Kratos as an Identity Provider but we want users to be able to plug in their own IDP like Active Directory for example.

Thanks for your feedback. We will work on the document during the week I think !

[ThibHrrd]

#1928