Introduction
This article outlines the steps needed to perform SAML authentication using the SSO service URL endpoint and the the SAML token endpoints.
Visiting the SAML token endpoints initiates a login flow by providing a SAML Single Sign-On (SSO) Service URL for the configured identity provider. The returned token_poll_id can be used to obtain the Vault token after the user is authenticated with the identity provider and the SAML response has passed validation.
Expected Outcome
The expected outcome is allowing applications to be able to generate a Vault token using the the SAML SSO service URL and the SAML token endpoints.
Prerequisites (if applicable)
- Vault Enterprise
- An identity provider, such as Okta for example.
Use Case
In this scenario the SAML SSO service URL endpoint is used in combination with a client_challenge to obtain a SSO Service URL. Once the SSO Service URL has been obtained, the SAML token endpoint can be used to generate a Vault token using the client _verifier.
Procedure
Configure the Vault SAML authentication method as outlined in the documentation
Once configured the client_challenge and the client_verifier can be generated with random values, please find an example below:
#!/bin/bash
# Generate a random client_verifier (32 bytes)
client_verifier=$(openssl rand -hex 32)
# Compute SHA-256 hash of client_verifier
hashed_verifier=$(echo -n "$client_verifier" | openssl dgst -sha256 -binary | base64)
echo -e " Client Verifier: $client_verifier\n. Client Challenge: $hashed_verifier"./generate.sh
Client Verifier: e390e4d2e481bd38442e648e2ec60b63c6ddea28551067b8d686799eb1d1464b
Client Challenge: 1IbiULjNcfKzm9uzc975Foes0Jv0wmdHM2WbUK5IjE8= Generating the SSO Service URL using the client _challenge client_challenge (cc):
CC=1IbiULjNcfKzm9uzc975Foes0Jv0wmdHM2WbUK5IjE8=
vault write auth/saml/sso_service_url client_challenge=${CC}Key Value
--- -----
sso_service_url https:///trial-1234567.okta.com/app/trial-1234567_aquateamsaml_1/exkcpz4c5laqrzxTO697/sso/saml?RelayState=634f15c1-9cb8-a23d-efdb-d14908f8bbe9&SAMLRequest=jJHNbtswEIRfReCdv%2FonJAFuc6iBFDFitYdejDXF1oIlUuZSgZGnL2K3QHtpc57dmcE3zWaNJ%2FdsL6vFmFznyWFL1uC0BxxRO5gt6mj0fvP5USsm9BJ89MZPJNk%2BtORQ22Nh5CDpYCtDUykqmg3fJVV5LdRg0hQgJ8lXG3D0riWKCZJsEVe7dRjBxZYooTIqUqrKXkqthM4ylmZpXdbfSPJgMY4O4u35FOOCmvMYRphoKqu8qAvmzxGY8TOHZflbOsBlhWhhRping%2BT2ejbLa2byCS7h9do%2FFXXJET1%2F00myQbThLemjd7jONuxteBmN%2FfL8eM%2FWnEtVMsEEk7pSQvAXyWGNp5sBNzBNRzBnkux%2BMfowumF0P%2F4N9Hg%2FQv2p73d097TvSdfcEIX37AG%2FW5Pu%2Fx0bfjfuGv7n7t3PAAAA%2F%2F8%3D
token_poll_id 952f2334-83a7-2557-a8e5-bd01cede0e96At this point it is required to authenticate using the sso_service_url provided above.
Once authenticated a vault token can be obtained using the client_verifier (CV) and the token_poll_id (TP):
CV=e390e4d2e481bd38442e648e2ec60b63c6ddea28551067b8d686799eb1d1464b
TP=952f2334-83a7-2557-a8e5-bd01cede0e96
vault write auth/saml/token client_verifier=${CV} token_poll_id=${TP}WARNING! The following warnings were returned from Vault:
TTL of "840h" exceeded the effective max_ttl of "768h"; TTL value is
capped accordingly
Key Value
--- -----
token hvs.CAESIPM7BIyzBzYiocKE7lcQiYd6eyIbjvvJMNMp-n8SPRXGGiAKHGh2cy5rbjN5aTdBemhRSXd2b2NPNWcwdUhPazcQXw
token_accessor 0B41hx8MU6MPJ4wuNdlquUix
token_duration 768h
token_renewable true
token_policies ["aqua-team-secrets" "default"]
identity_policies []
policies ["aqua-team-secrets" "default"]
token_meta_role project-aqua-developers