saml

I'm aware of how SAML is used for single sign on (SSO). That is, redirection to IDP from SP and getting the user's identity from the SAML response/assertion. My question is - Does SAML 2.0 specification define how to pass username and password as part of a SAML request xml for authentication? Note that I'm not talking about single sign on and just want authentication of username/password. Thanks, The SAML standard supports passing a user identifier in the <saml:Subject> field of the <AuthnRequest> (i.e. the request for authentication). There is however no built in support for passing a

I'm relatively new to SAML and came across the OneLogin Python SAML library. I was able to get it up and running with my web app being the Service provider (SP) and OneLogin being the Identity Provider (Idp). I would like to be able to add support for other Identity Providers as well. However, I find that the python-saml library is using a settings.json to get the Idp information. I have looked at the following issues on their Github project but have been unable to get an actionable solution: [1] https://github.com/onelogin/python-saml/issues/64 [2] https://github.com/onelogin/python-saml

I am integrating a SAML Service Provider with MS AAD and I have found an issue with Single Logout. My Service Provider only supports logout binding "HTTP-POST". And it seems that AAD only supports logout binding "HTTP-Redirect". I think so based on the SAML metadata I got from AAD - this is the only SingleLogoutService element I can see: <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2" /> Is it really the only supported SLO binding or is it possible to switch other bindings

is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications? REVISED: I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment. However, SAML can be used for desktop

I'm new to WCF web service. currently i'm working on a federated web service with federation binding(SAML) .I took help of MSDN examples on 'SAML Token Provider'.but the problem is that i'm not able to consume the service ,when i consume it, it throws " An unsecured or incorrectly secured fault was received from the other party" with inner exception as "An error occurred when processing the security tokens in the message." this is my web config file at server side <?xml version="1.0"?> <configuration> <system.web> <compilation debug="true" targetFramework="4.0"/> </system.web> <system

Recently I have started using claim-based authentication on an existing web application. Because the application makes use of jQuery & more notably, the AJAX functions, I have had to alter the handlers not to attempt to redirect the XmlHTTPRequests , and instead return a 403 status which is easier to handle. Here is the FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed event hanlder: protected void WSFederationAuthenticationModule_AuthorizationFailed(object sender, AuthorizationFailedEventArgs e) { //WSFederationAuthenticationModule sam =

As per SP initiated SSO flow, User tries to access SP. Since the user is unauthenticated, he is redirected to IDP where he enters his credentials, post successful login, IDP sets cookies in user's browser(under IDP's domain) and redirects the user back to SP with SAML response. Once SP verifies SAML response it creates it's own cookie/token and sets in user's browser under sp's domain. What should ideally happen in subsequent requests : Should SP rely only on it's own cookie to fetch user info Should SP validate user session with IDP in every request. If option 1 is advised, Is it ok from