Proxy on top of OIDC IdP provider to accept SAML requests from service provider for SSO

1
votes

Context: We have an OIDC IdP that we don't have control over but we need to support SAML requests from Service Provider (SP) for SSO.

Idea: Build a proxy (an app) that sits between SP and OIDC Identity Provider. Requests from SP are sent to the proxy app (that acts as SAML IdP for SP) and the proxy app converts the requests to OIDC requests and forwards them to OIDC provider. The results from OIDC provider are returned to the proxy app which translates them into SAML responses and forwards them to SP.

Questions:

I've very limited knowledge on SAML IdP (implementation wise). The approach seems very hackish to me :) Feels there are a lot of things I'm missing to consider. So, wanted some help and guidance as for where I'm doing things wrong. Few things I wanted to ask are:

  • Does this approach even make any sense?
  • What would be the security implications of this approach?
  • Are there other simpler/better solution to it or a similar use case?

Any sort of help will be highly appreciated.

Thanks!

1
single-sign-onsamlopenid-connectidp

1 Answers

2
votes

It's becoming a pretty common problem to have as more services move to OpenIdConnect e.g. a SAML workflow running in parallel with Office365 OIDC authentication. Your approach makes perfect sense.

As you say, the IdP should translate the OIDC JWT claims to SAML attributes for the SP to consume and there are various options for bridging between SAML and OIDC.

If you want to go the paid route, Overt have a Shibboleth/ADFS bridge with a cloud based IdP.

Or your could install the 'standard' IdP and develop your own bridge. Basically it would delegate authentication to the OIDC provider and turn the claims to SAML, perhaps augmented with an LDAP lookup to get more attributes.

Or you could use the 'standard' IdP and install apache and mod_auth_openidc in front of it to manage the OIDC authentication and claims handling.

As for security, as long as you can trust the OIDC claims you should be fine. The SAML trust has already been taken care of by the SAML metadata of the IdP/SP. The authentication will be handled by OIDC and JWT claims will be sent to your SAML IdP so as long as you secure the route between IdP and OIDC it should be as secure as the SAML route.

In the case of Office365 as the OIDC provider, the IdP will need to be registered as a tenant app and the claims will be sent to its replyUrl.