Automate SAML Login

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows you how to automate SAML login for service users using a combination of scripting and tools like curl or PowerShell. This avoids manual logins, saving time and improving security.

Automating SAML Login

Understand the Basics: SAML (Security Assertion Markup Language) lets users log in to multiple applications with one set of credentials. Automation requires understanding how your Identity Provider (IdP) handles requests and responses.
- Service Principal: You’ll need a service principal or application registration within your IdP that represents the automated user.
- API Access: Your script needs permission to interact with the IdP’s API (usually via an API key or certificate).
Obtain SAML Request: The first step is getting a valid SAML request. This often involves sending a POST request to your service provider’s login endpoint.
```
curl -X POST 
     -H "Content-Type: application/x-www-form-urlencoded" 
     -d "RelayState=https://your-service-provider/some/url&SAMLRequest=YOUR_BASE64_ENCODED_REQUEST" 
     https://your-service-provider/login
```
Replace YOUR_BASE64_ENCODED_REQUEST with the actual SAML request generated by your IdP. The exact method for generating this varies depending on your IdP (e.g., Azure AD, Okta).

Authenticate and Get SAML Response: Once you have a SAML request, authenticate using your service principal.

Azure AD Example (PowerShell): This example uses the Invoke-RestMethod cmdlet to get an access token.

$tenantId = "YOUR_TENANT_ID" 
$clientId = "YOUR_CLIENT_ID" 
$clientSecret = "YOUR_CLIENT_SECRET" 

$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" 

$body = @{ 
  grant_type="client_credentials"; 
  client_id=$clientId; 
  client_secret=$clientSecret; 
  scope="YOUR_SCOPE" # e.g., "https://your-resource/.default" 
} 

$tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method POST -Body $body 
$accessToken = $tokenResponse.access_token

Okta Example (curl): Use Okta’s API to obtain a token and then use that token to request the SAML response.
Consult Okta’s documentation for specific API endpoints and parameters.
Parse the SAML Response: The IdP will return a SAML response (usually as XML). You need to parse this response to extract the assertion.
- XML Parsing Tools: Use tools like xmlstarlet or programming language libraries (e.g., Python’s lxml) to parse the XML.
```
xmlstarlet sel -t -v "/Assertion" response.xml
```

Submit Assertion: Send the extracted SAML assertion back to your service provider, usually via a POST request.

curl -X POST 
     -H "Content-Type: application/x-www-form-urlencoded" 
     -d "SAMLResponse=YOUR_BASE64_ENCODED_ASSERTION&RelayState=https://your-service-provider/some/url" 
     https://your-service-provider/login

Replace YOUR_BASE64_ENCODED_ASSERTION with the base64 encoded SAML assertion.

Error Handling: Implement robust error handling to catch issues like invalid credentials, network errors, and malformed SAML responses.
- Logging: Log all requests and responses for debugging purposes.
- Retry Logic: Consider adding retry logic for transient errors.

Important Considerations:

Security: Protect your API keys/certificates and service principal credentials carefully.
IdP Documentation: Always refer to your IdP’s official documentation for the most accurate instructions and best practices.
Testing: Thoroughly test your automation in a non-production environment before deploying it to production.