Saml SSO身份验证仅通过RESTful调用,不使用任何库

huangapple go评论65阅读模式
英文:

Saml SSO authentication with only restful calls and no libraries

问题

我们有一个基于.NET框架的SAAS Web应用程序,支持多个提供商的OAuth2,并希望使用SAML/SAML2来实现相同的功能。当前的OAuth2实现使用RESTful HTTP GET和POST调用以及一个重定向来完成所有必要的步骤。

在查看现有库时,它们似乎都需要对"startup.cs"或您的启动代码所在的位置进行更改,并且它们会向web.config添加代码。因此,它们会将自己构建到项目的核心中。我们不喜欢那种做法,不希望运行不必要的代码,而且我们的代码必须经过深度审核,用于防御应用程序,因此我们宁愿不使用来自NuGet的外部库,尽管如果它们不干扰应用程序的基础架构(startup和web.config),我们可能会考虑包括一些来自Microsoft的库。

我们的客户中只有少数人会使用SAML,因为大多数人将使用直接登录或OAuth2提供商。

那么,我们如何可以使用纯粹的RESTful调用/重定向来添加SAML,而不使用第三方库呢?我希望能够找到一些构建XML片段并通过HTTP POST或查询字符串发送它的示例,但经过几个小时的搜索,我没有找到这些内容。

TIA(谢谢您的帮助)

英文:

We have a well established .NET framework based SAAS web application which supports Oauth2 to multiple providers, and we want to implement the same with SAML/SAML2. The current implementation of Oauth2 does all the necessary steps using resful http get and post calls plus the one redirect.

Looking at existing libraries, they all seem to want changes in "startup.cs" or wherever your startup code is and they add code to web.config. So they are building themselves into the core of your project. We don't like libraries that do that, we don't want to run code that isn't needed and our code has to pass some pretty deep auditing for defense apps, so we'd prefer not to use external libraries from nuget, although we would be prepared to include some libraries from MS if they do not interfere with the app infrastructure (startup and web.config).

Only a small minority of our customers will use SAML since most will use direct logins or Oauth2 providers.

So how can we add SAML with pure restful calls / redirects and not using third party libraries ? I hoped we could find examples where you build up a piece of XML and send it via http post or via a querystring, but after several hours I am not finding this.

TIA

答案1

得分: 2

SAML实际上在正确实施时可能相当复杂:您肯定会需要库的支持。更重要的是,我看到这样的观点:

> 我们不想运行不需要的代码[因为]我们的代码必须经过深度审计以用于防御应用程序

从安全的角度来看,这基本上是正确的态度。现在有太多关于威胁行为者将恶意代码注入上游库的例子……幸运的是,.Net生态系统中并没有太多这样的情况(至今为止),但通常来说这足以构成合法的安全担忧。但对于身份验证来说,避免使用库是完全错误的方法。事实上,试图自行实现身份验证对安全来说实际上是更糟糕的。使用一个专门构建的、经过充分测试的库可以帮助您避免这种情况。

实际上,对于身份验证使用库应该会让安全审计员更满意,因为它非常容易实现认证代码,看起来是正确的,通过了所有的单元测试和集成测试,看起来一切正常,但事实上可能存在微妙的错误,导致您一年后才发现您六个月前被入侵了。使用一个专门构建的、经过充分测试的库有助于避免这种情况。

我自从至少2010年就一直在说这一点。这个想法是,发现了漏洞(因为它们总是存在的!),首先是在别人的产品上发现的。但因为他们使用相同的库,所以会创建、分发和应用补丁,早于您自己的产品被入侵的机会。不幸的是,现实情况是这些审计往往更多地是关于尽可能便宜和无痛地打勾,而不是真正改进事情,所以我理解它可能很难通过。

就个人而言,我曾成功地使用ITfoxtec为两个不同的应用程序实施了SAML身份验证。然而,我没有足够广泛的经验来评价这个选项相对于其他替代方案的质量,除了说我能够使其正常工作。

对于这个库来说,主要的一点是源代码是可用的,而且相对容易浏览和理解,这应该能进一步让审计员满意。此外,因为源代码具有非常宽松的许可证,您可以分叉项目并将代码直接包含在主构建中。这应该使审计变得更容易。

英文:

SAML can actually be quite complicated to implement properly: you WILL want library support for this. Even more, I see this:

> we don't want to run code that isn't needed [because] our code has to pass some pretty deep auditing for defense apps

Mostly, this is the right attitude from a security standpoint. There are too many examples now of a threat actor getting malicious code into upstream libraries... thankfully not as much in the .Net ecosystem (so far), but enough generally to be a legitimate security concern. But for authentication specifically avoiding libraries is exactly the wrong approach. It's actually significantly worse for security to try to do this on your own.

In fact, using a library for authentication should make security auditors happier, because it's just so easy to implement authentication code that seems to work correctly — passes all your unit and integration tests and looks like it's working — where in fact you have subtle bugs that result in finding out a year later you were hacked six months ago. Using a purpose-built, battle-tested library helps you avoid that scenario.

I've been saying this since at least 2010. The idea is when a flaw is discovered (because they always exist!) it's found on someone else's product first. But because they're using the same library a patch is created, distributed, and applied before your own product ever has a chance to be breached. Unfortunately, the reality is these audits are often as much about ticking the box as cheaply and painlessly as possible as they are about actually improving things, so I understand where it can be hard to get this through.

Personally, I have successfully implemented SAML authentication using the ITfoxtec library for two different apps. However, it's not something I work on often enough to have broad experience to comment on the relative quality of this option vs alternatives other than to say I was able to make it work.

The main thing for this library is the source code is available, and fairly easy to browse and understand, which should further make auditors happy. Moreover, because the source is available with a very permissive license — you can fork the project and include the code directly as part of the main build. This should further make it easier to audit.

答案2

得分: 1

只要补充一下Joel说的,我认为你会发现使用第三方库(无论是开源还是我们的商业库)比自己实现更具成本效益。此外,安全性显然很重要,因此使用一个经过长时间在生产环境中被许多其他人使用的经过严格测试的实现要安全得多。

我不确定其他库,但我们的ASP.NET SAML库不需要在启动类中编写任何代码或更改web.config。也许你是在提到.NET 6等,这里通常是在启动代码中连接到依赖注入系统的常见做法。在我们的库中,SAML代码仅在需要作为SAML SSO流程的一部分时执行,因此对于非SAML身份验证没有额外的开销。

SAML协议比OAuth2更复杂。我建议查看SAML v2.0规范文件,以了解所需的工作量。

英文:

Just to add to what Joel said, I think you'll find it's more cost effective to use a 3rd party library (either open source or our commercial library) rather than implementing something yourself. Also, security is important, obviously, so it's much safer to use a battle-hardened, proven implementation that's been used in production by many others for many years.

I'm not sure about other libraries, but our SAML library for ASP.NET doesn't require any code in the start-up class or changes to web.config. Perhaps you're referring to .NET 6 etc where's it's common practice to hook into the dependency injection system in the start-up code. In our library, the SAML code is executed only when required as part of a SAML SSO flow so there's no additional overhead for non-SAML authentication.

The SAML protocol is more involved than OAuth2. I suggest taking a look at the SAML v2.0 specification documents to get a feel for the effort involved.

huangapple
  • 本文由 发表于 2023年2月17日 23:35:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75486297.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定