Security - SAML 2.0 IdP Integration

 

Introduction

ModelOp Center integrates with SAML 2.0 to enable enterprise-grade authentication and access control, allowing isolation of models by authorized groups.


Overview

The saml-support-service is an optional microservice in the ModelOp Center install. This service is the bridge between components using SAML 2.0 and components using OAuth 2.x. The roles of the saml-support-service include:

  1. SAML 2.0 Service Provider (SP)

  2. OAuth 2.x Authorization Server (AS).

When in the role of SP, the saml-support-service is responsible for initiating user authentication with a SAML request to the SAML identity provider (IdP). After receiving the SAML assertion, the saml-support-service validates it and parses the necessary information: the username, user attributes, etc.

When in the role of AS, the saml-support-service is responsible for creating OAuth 2.x tokens. The payload of the OAuth 2.x tokens will include the parsed necessary information from the SAML assertion.

The implementation of both roles is done using Spring.

High-level architecture that represents the use of SAML 2.0 and OAuth 2.x components

ForgeRock: The SAML IdP responsible for authenticating users on behalf of ModelOp Center as well as providing necessary user information as part of the SAML assertion.


Prerequisites

For a successful integration of ModelOp Center with a SAML 2.0 IdP, the following prerequisites must be met:

Supported SAML 2.0 IdPs:

  • ForgeRock 7.1.x

ForgeRock:

  1. Entity providers:

    1. Configure ForgeRock as hosted IdP

      1. Assertion Content

        1. Sign logout request

        2. Sign logout response

      2. Assertion Processing

        1. SAML Attribute*:

          1. uid

          2. givenName

          3. lastName

          4. email

          5. groups**

    2. Configure saml-support-service as remote SP

      1. Assertion Content

        1. Sign logout response

  2. Circle of Trust

    1. Configure a circle of trust between the aforementioned entity providers

  3. Required information for ModelOp Center configuration:

    1. ForgeRock URL

    2. ForgeRock metadata URL

    3. ForgeRock logout URL

saml-support-service:

  1. Signing credentials

    1. Configure the private key and certificate for signing SAML requests

  2. SP metadata file***


Known Limitations

The OAuth 2.x Authorization Server does NOT support the following grant types:

  1. Password Grant Flow

    1. Impacts ModelOp CLI

  2. Implicit Grant Flow

    1. Impacts Jupyter and Tableau integrations

 

*The listed SAML Attribute names (uid, givenName…) are only examples. The customer may use other names for each SAML attribute

**The groups to which the user belongs. The groups will be used in ModelOp Center

***The metadata file will be generated once the saml-support-service is deployed because some of its contents depend on the saml-support-service URL