SAML authentication

on

 

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format used to exchange authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider.

User Agent
SP (Service Provider)
IDP (Identity Provider)

IDP and SP establish Trust

When an user wants to access a SP, he must first authenticate with IDP, after successful authentication, IDP generates a SAML ASSERTION, which is sent to SP, then the user can access SP.

The user exists in  IDP, SAML configuration specify what attribute to use to identify user, for example, use email address.

IDP side SAML configuration IDP XML and SP side SAML configuration SP XML called Metadata

Metadata: It is an XML based document that ensures a secure transaction between an IdP and an SP. It allows the IdP and SP to negotiate agreements.

Between IDP and SP: message exchange via BINDINGS: HTTP-POST, HTTP-REDURECT, HTTP-ARTIFACT 


Obtain the certificates that the IdP and firewall will use to sign SAML messages. If the certificates do specify key usage attributes, one of the attributes must be Digital Signature


what is azure certificate used for in SAML ?

The Azure certificate is shared with the service provider (SP) to establish trust between Azure AD (IdP) and the SP. The SP uses the certificate to verify that the SAML assertions are indeed from Azure AD.

note this certificate self-signed, is not trusted by firewall, and it doesn't contains "Basic Constraints" field .


   The basic constraints extension identifies whether the subject of the
   certificate is a CA and the maximum depth of valid certification
   paths that include this certificate.


Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default.


on ASA, need "no ca-check" to import this certificate from cli.

    

crypto ca trustpoint Azure_SAML
    no ca-check    enrollment terminal
exit
crypto ca authenticate Azure_SAML
paste pem text, then type "quit"


on FTD 7.3 above, check "Skip Check for CA flag...."



on Palo, need import metadata. import the certificate individually has import error.







SAML Request Example


<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_a1234567890abcdef1234567890abcdef"  #A unique identifier for the request.
    Version="2.0"
    IssueInstant="2023-10-01T12:00:00Z"            #The timestamp when the request was issued.
    Destination="https://duo.com/saml/sso"           #The URL of the IdP where the request is sent
    AssertionConsumerServiceURL="https://your-app.com/saml/acs">  #The URL where the SP expects to receive the SAML response
    <saml:Issuer>https://your-app.com/saml/metadata</saml:Issuer>   #The identifier of the SP
    <samlp:NameIDPolicy                      #Specifies the format of the user identifier (e.g., email address).
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        AllowCreate="true"/>
</samlp:AuthnRequest>


SAML Response Example


<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_b1234567890abcdef1234567890abcdef"    #A unique identifier for the response
    Version="2.0"
    IssueInstant="2023-10-01T12:05:00Z"        #The timestamp when the response was issued.
    Destination="https://your-app.com/saml/acs"    #The URL of the SP where the response is sent
    InResponseTo="_a1234567890abcdef1234567890abcdef">  #The ID of the SAML request to which this response corresponds.
    <saml:Issuer>https://duo.com/saml/metadata</saml:Issuer>
    <samlp:Status>    #Indicates whether the authentication was successful.
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>            
    <saml:Assertion        #Contains the user's identity and authentication information
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="_c1234567890abcdef1234567890abcdef"
        IssueInstant="2023-10-01T12:05:00Z"
        Version="2.0">
        <saml:Issuer>https://duo.com/saml/metadata</saml:Issuer>
        <saml:Subject>        #Contains the user's identifier (e.g., email address)
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData
                    NotOnOrAfter="2023-10-01T12:10:00Z"
                    Recipient="https://your-app.com/saml/acs"
                    InResponseTo="_a1234567890abcdef1234567890abcdef"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions        #Specifies the validity period of the assertion and the intended audience.
            NotBefore="2023-10-01T12:00:00Z"
            NotOnOrAfter="2023-10-01T12:10:00Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://your-app.com/saml/metadata</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement         #Contains information about the authentication event
            AuthnInstant="2023-10-01T12:05:00Z"
            SessionIndex="_d1234567890abcdef1234567890abcdef">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>


A SAML Assertion Consumer Service (ACS) is a web service endpoint that is used in the SAML authentication and authorization protocol. The ACS is a service provided by the service provider (SP) that receives and processes SAML assertions from the identity provider (IdP). The ACS is responsible for extracting the relevant information from the SAML assertion, such as the user's attributes or the authentication event, and using that information to grant the user access to the protected resource.

The ACS is typically implemented as a web service endpoint that is accessible to the IdP.

1. The user logs in to the IdP using their credentials.
2. The IdP verifies the user's credentials and generates a SAML assertion.
3. The SAML assertion is sent to the SP's ACS, along with a request for access to a protected resource.
4. The ACS receives the SAML assertion and extracts the relevant information from it.
5. The ACS uses the extracted information to grant the user access to the protected resource.


A SAML Entity ID is a unique identifier for an entity in the Security Assertion Markup Language (SAML) authentication and authorization protocolIt's used to identify the Service Provider (SP) and the Identity Provider (IdP) in a SAML transaction.

Typically, the Entity ID is a URL or URI that’s assigned to the entity and used in SAML messages and metadata. Each SAML application that you create within your SAML provider is considered a unique entity.


In case of Azure is IdP and PaloAlto GlobalProtect is SP:

Identifier (Entity ID): The default identifier will be the audience of the SAML response for IDP-initiated SSO.

https://globalprotect.com:443/SMAL20/SP


Reply URL (Assertion Consumer Service URL): The default reply URL will be the destination in SAML response for IDP-initiated SSO.

https://globalprotect.com:443/SMAL20/SP/ACS


Sign on URL

https://globalprotect.com


Above three are required on Azure, below are info need be added to Palo:

Login URL
Azure AD Identifier
Logout URL


In case of Azure as IDP, Anyconnect as SP

IDP needs Two info from ASA:

These info are in metadata, metadata URL is case-sensitive

show saml metadata TUNNEL-GROUP-NAME

or

https://<VPN URL>/saml/sp/metadata/<TUNNEL-GROUP NAME>

 a. Identifier (Entity ID)  - https://<VPN URL>/saml/sp/metadata/<TUNNEL-GROUP NAME> 
 

 b. Reply URL (Assertion Consumer Service URL) - https://<VPN URL>/+CSCOE+/saml/sp/acs?tgname=<TUNNEL-GROUP NAME> 


The Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion.

A SAML Assertion Consumer Service (ACS) is responsible for receiving and processing SAML assertions from the IdP

Sign on URL is required for SP initiated.




ASA needs four info from Azure:

1. Azure IDP certificate: import to ASA as CA certificate
   config t 

 crypto ca trustpoint AzureAD-AC-SAML 
   revocation-check none 
   no id-usage 
   enrollment terminal 
   no ca-check 
 crypto ca authenticate AzureAD-AC-SAML 
 -----BEGIN CERTIFICATE----- 
 … 
 PEM Certificate Text you downloaded goes here 
 … 
 -----END CERTIFICATE----- 
 quit 

 2. Azure AD Identifier - This is the saml idp in our VPN configuration.

 3. Login URL - This is the URL sign-in.

 4. Logout URL - This is the URL sign-out.








Debug

debug webvpn saml 255





Cases:

error:
"Authentication failed due to problem retrieving the single sign-on cookie"

debug error:
.....
kROYnlRenpZSm52cjZ6dis4bHhCb3g0YURwYXlqdkU5dFdLMkl4NjBIcE5DMEM4VVlzbWQ1ejdndG5TVk4yNGhpZWVvaWViSVdUUUlCQnlyNDlabjFVPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBJRD0iRFVPXzUzYmY0M2ExOWIOct 10 10:34:33 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins/workspace/fxplatform/Builds/release__2.6.1_fcs_hammersmith/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

Oct 10 10:34:33 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins/workspace/fxplatform/Builds/release__2.6.1_fcs_hammersmith/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

Oct 10 10:34:33 [SAML] consume_assertion: The profile cannot verify a signature on the message
Oct 10 10:34:33
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

Cause:
Wrong IDP cert.












https://www.wiresandwi.fi/blog/asa-vpn-saml-authentication-some-tips-and-tricks


https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html


https://community.cisco.com/t5/security-documents/anyconnect-azure-ad-saml-sso/ta-p/3810013



Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html



Configure Anyconnect with SAML authentication on FTD managed via FMC

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216268-configure-anyconnect-with-saml-authentic.html



Decode SMAL response

Chrome

press Fn+F12 to open developer console, > Network tab, then access SAML login, copy the SAML response payload to notepad ++, > plugins >  MIME Tools > Base64 decode by line


Edge

access the SP site in edge browser, when see the SAML login page, right client page > Inspect to open Developer Tools, find the SAML response > Payload, copy content after "SAMLResponse:" to notepad ++, > plugins >  MIME Tools > Base64 decode, click language > XML



Comments

Post a Comment