Skip to main content

Introduction

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end-user) between a SAML authority, named an Identity Provider, and a SAML consumer, in this case, PrimeKey® SignServer Enterprise. The assertions are digitally signed and can be verified with the public key and certificate of the SAML authority. The SAML Authorizer allows having the authorization server separate from the SignServer application and provides eIDAS compliant authentication and authorization to signing and validation workers using multi-factor authentication (MFA).

Use case example#

There are several authorization servers available and this implementation has been tested with Cryptomathic Authenticator. The following use case example outlines authenticating with Cryptomathic Authenticator (as the SAML authority) to obtain a signed SAML Response, then used in the request sent from the client to SignServer (the SAML consumer). The client in the following overview could, for example, be an Enterprise application communicating with a document management system.

3Key RA Profiles

Authentication and authorization flow#

StepNameDescription
1Certificate with Public key of the SAML Authority distributionThe worker in SignServer is configured to trust the SAML authority server’s certificate. Authorization rules matching assertion’s attributes from the signed SAML Response are also configured.
2Client or user sends the request to consume serviceThe user requests signing or validation services from Enterprise application.
3Authentication requestedThe Enterprise application request for authentication for SAML authority providing details about the user’s authentication domain.
4SAML authority provides authentication contextThe authentication context for the user is provided.
5Authentication context forwarder to userThe user receives the authentication context that should be used in order to authenticate to the service from SAML authority. Context is used by the user.
6Authentication of the userUser authenticates using credentials with the Authentication server / Identity provider. When MFA is enabled, there may be multiple rounds in the authentication process.
7Producing signed SAML ResponseUpon successful authentication, the user receives the signed SAML Response from the SAML authority. The response contains also AudienceRestriction element to specify the target system for use of the SAML Response.
8Forward signed SAML ResponseUser forwards the signed SAML Response as a proof of successful authentication and authorization for signing / validation request.
9Request to sign / validateThe request with the signed SAML Response is submitted to SignServer.
10Perform task and provide responseSignServer validates the signed SAML Response and its assertion attributes perform the operation and provide a response to Enterprise application.
11ResponseUser receives response from SignServer.