24

In a SSO environment, though the user accounts are maintained at IdP, some Service Providers do maintain a database having active user accounts. Now if a user is deactivated at IdP, what is the best way to pass that information to the respective SPs who still have that user as an active user in their database?

After going through SAML-profiles documentation, I found Name Identifier Management Profile where an IdP may inform an SP regarding the termination of a particular identifier/user.

Is this the right profile which the SP and IDP should be implementing (is it easy to implement this?) or is there any other simple way to achieve this? Any suggestions are highly appreciated.

Thanks,

Abhilash

abhilash
  • 785
  • 1
  • 10
  • 19

2 Answers2

16

In most cases users are created in local databases on SP side the moment user logs in through the IDP for the first time. And as user always has to authenticate through IDP in order to access SP, it is safe (from security point of view) to keep users which were de-activated at IDP as active on SP-side (as they won't be able to login to SP anyway).

One approach to keep the SP database clean is to automatically remove or de-activate users which haven't logged-in for certain amount of time. The user will then be re-created or re-activated the moment he gets re-enabled on IDP and tries to access the SP again.

Another approach is to create a custom synchronization process between IDP and SP (e.g. make a CSV dump from IDP and periodically import to SP).

The Name Identifier Management Profile with "Terminate" request could be used for this purpose, with synchronous binding it's just a web service SOAP call from IDP to SP. But most SP implementations don't support this profile, and most (if not all) IDPs would require some amount of customization to make the call at the right time.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • In my scenario, I've configured the SP using Spring's SAML framework (Kudos to you, Awesome stuff!). In my application, the active-users tab shows all the currently active users present in SP database. It may happen that when a user is deactivated at IdP, though he can't enter the SP (which is safe from a security point of view), that user is still shown as active user which thus gives a wrong picture to our client. It seems like my SP doesn't support the Name Identifier Management profile, could you suggest what is the best alternative to tackle this problem? Thanks. – abhilash May 09 '14 at 16:39
  • Yes, I now understand your motivation for this use-case, but the solutions I can think of are still the ones mentioned in the answer - custom synchronization, custom calls from IDP toward SP (to some API) or NameID profile. Does your IDP support the Name Identifier Management profile and is it able to send the Terminate message? If so, and in case you'd like to enhance Spring SAML to support this use-case, feel free to get in touch (vladimir@v7security.com) – Vladimír Schäfer May 09 '14 at 19:30
  • Currently, I've configured only my SP and our clients can have any IdP implemented at their end (may sound strange!). So I'm trying to figure out a way which is more or less IdP independent. May be I've to think of something out of this SAML & SSO world? One such Idea - Sending REST calls (which will be IDP admin's responsibility) to SP using simple HTTP methods (say, HTTP DELETE to delete a user with some username). Don't know whether this is a good or safe approach. Any suggestions? – abhilash May 09 '14 at 21:22
  • Every SAMLv2 compliant SP/IdP has to implement Name Identifier Management Protocol as it's used for Federation Termination. – Bernhard Thalmayr May 11 '14 at 19:01
  • @BernhardThalmayr Name ID protocol is not supported by implementations with IdP Lite and SP Lite conformance (which are still officially SAMLv2 compliant) and there's quite many, see https://kantarainitiative.org/programs/iop-saml/ – Vladimír Schäfer May 11 '14 at 19:22
  • 1
    @abhilash Using a custom API is definitely a possible way to go, as mentioned in the previous comment, but you will likely find most of your customers reluctant to support such solution, as they would have to modify their IDPs. In your place I would add Name ID Management profile to your SP implementation and instruct IDPs to use that, if they can, and if they can't they may have to accept a possibility of seeing inactive users as active on the SP side. – Vladimír Schäfer May 11 '14 at 19:26
  • @vschafer Yeah, it looks like that is the best way to go. I would definitely like to know more about its implementation procedure. I will write a mail regarding this to you. Thanks a lot for your help. – abhilash May 12 '14 at 09:04
9

SAML isn't really the right approach for this. I would recommend taking a look at the standard called SCIM (System for Cross-domain Identity Management) which is designed to handle exactly this type of user identity provisioning use-case via a RESTful API. Here are a few resources to check out -

HTH - Ian

Community
  • 1
  • 1
Ian
  • 4,227
  • 18
  • 19
  • Hello Ian, Thanks for your reply. It looks like SCIM is a good approach for Identity management. I've one question where I couldn't find an answer: How is SCIM call authenticated in case of IDP-SP scenario (Call from IDP to SP), where a IdP user doesn't have any credentials stored at SP, he can't send his username-password to SP for validation. What is the best practise in this scenario? Any suggestions please! – abhilash May 13 '14 at 11:55
  • I don't believe you'd call a SCIM provider at the user level. It would usually be a "web service only" account that is making the SCIM-client call to provision users. I'm no expert on SCIM but I'm guessing that auth to the SCIM-provider is out-of-scope. For password provisioning, you might allow the IDP to set a "static" password that must be reset the first time a user logs in. – Ian May 13 '14 at 17:08
  • Is there any implementation which u've come across where SCIM protocol (with recommended OAuth 2.0 Authentication tokens) is used for Identity management for IDP-SP scenario where SAML is already in place? I just want to know what is the main added benefit it provides when it is not so trivial to implement. – abhilash May 14 '14 at 12:46
  • Salesforce.com and Google Apps for Business are working on rolling out SCIM (beta?) and both have SAML 2.0 SP implementations. I'd start there. The benefit of SCIM for provisioning is similar to that of SAML for Authentication. Write a compliant provider and your Enterprise customers should not have to write custom clients again and again as they do today with proprietary provisioning APIs. – Ian May 14 '14 at 15:33