Document passive option

[sherakama]

Description

Document support for passive option in node-saml

Re: https://github.com/node-saml/node-saml/blob/master/src/saml.ts#L135

Checklist:

• Issue Addressed: []
• Link to SAML spec: []
• Tests included? []
• Documentation updated? [x]

[cjbarth]

Thanks for adding that documentation. Do you happen to have a reference for the part of the SAML spec that refers to? That feature was added a while ago by someone else. I'd like to refresh my understanding of your description before approving :)

[sherakama]

There is this https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.3/aiaag/introducing-identity-federation-oracle-access-management.html

28.4.5 Indicating a Passive Identity Provider

I'll see about something more specific to the SAML 2.0 spec.

[sherakama]

https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf

Page 33 - Section 7.2.1

[cjbarth]

I'm having trouble finding actual documentation on the IsPassive flag that passport-saml actually sets. The best I've found so far discusses largely what you've said, but still no references to it being part of a spec: https://lists.oasis-open.org/archives/saml-dev/201605/msg00004.html

Hi,

theoretically such seemless authentication is still within the bounds of the isPassive definition. Such authentication methods could probably involve: * kerberos (as long as the 401 page is not being displayed to the end-user after failed login)

• remember me feature (a.k.a persistent cookie)

Cert based authn is also similar, but with that the browser will ask for the password of the private key, not sure if that qualifies as passive authn.

cheers,
Peter

2016. 5. 10. 12:17 keltezéssel, Chiranga Alwis írta:

Hi Dieter,

first of all thanks for the answer.

In addition, to what you have mentioned I came across this alternative
usage of this property (from another source) which enables the Service
Provider to ask the IdP to basically "authenticate this user only if you
can do it without the having the user involved". This seems to map with
the spec definition provided for the 'IsPassive' property under
discussion. Is this a valid usage and what does it accurately mean in a
real-world scenario?

On Tue, May 10, 2016 at 1:18 PM, Dieter Maurer <[email protected]
mailto:[email protected]> wrote:

Chiranga Alwis wrote at 2016-5-10 10:43 +0530:

I am a fresh user to SAML 2.0.

When working on an Apache Tomcat SAML 2.0 based single-sign-on (SSO) valve,
I came across the property named 'IsPassive' under SAML 2.0 Authentication
Requests. The SAML 2.0 spec introduces this as follows:

IsPassive [Optional] A Boolean value. If "true", the identity provider and
the user agent itself MUST NOT visibly take control of the user interface
from the requester and interact with the presenter in a noticeable fashion.
If a value is not provided, the default is "false".

You can use "IsPassive" when you want to check whether the
user is already authenticated with the identity provider
and do not want under any circumstance that the identity provider
issues a login dialog.

One of the scenarios where this may be interesting is the
"identity provider iniated authentication". In this scenario,
the user first logs in with the identity provider and only then
switches to the service provider. The service provider can use
"IsPassive" to verify that the user has followed this procedure.

Another scenario may look as follows:
Assume there are a set potential identity providers for a given user.
The service provider may ask the set of those identity providers
with the "IsPassive" to check whether some of those already has
identified the user. Only if none has, it may present a list
of identity providers from which the user choses one to really log in.

--
Dieter

[cjbarth]

Here it is on page 49: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

ForceAuthn [Optional]
A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than
rely on a previous security context. If a value is not provided, the default is "false". However, if both
ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the
presenter unless the constraints of IsPassive can be met.
IsPassive [Optional]
A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control
of the user interface from the requester and interact with the presenter in a noticeable fashion. If a
value is not provided, the default is "false".

[cjbarth]

Based on the spec, "if possible" isn't true. The spec says the IdP "must not". Is there a different resource where you found that it obeys this less strict implementation?

[sherakama]

Based on the spec, "if possible" isn't true. The spec says the IdP "must not". Is there a different resource where you found that it obeys this less strict implementation?

I can't say I have for SAML. I am happy to change this language.

[sherakama]

@cjbarth,

Thanks for reviewing this and finding the documentation. I have updated the language. I hope this helps.

[cjbarth]

Please run npm run prettier-format to correct the code formatting.

[sherakama]

Ok.

[sherakama]

Thanks @cjbarth