Using a SAML 2.0 connection, the service provider (web services or SaaS applications) trusts the identity provider (NAM IDP) to validate the user’s authentication credentials and to send identity information about the authenticated user. The service provider accepts the data and uses it to give the user access to the web service or application. This data exchange is transparent to the user. It allows the user to access the web service or SaaS application without providing additional credentials.
In most cases, the user’s account is already set up in service provider’s side by Administrators or service providers use Just-in-Time provisioning to set up user’s account.
NetIQ Access Manager IDP authenticates the user based on configured contracts and passes on user’s identity (i.e. user id, email, employee id etc.) as name-id attribute or any other additional attribute to the SAML assertion. NAM IDP can also be configured to pass user’s role information (i.e. Admin role, Approver role, User role etc.) to the SAML assertion so that Service Provider can perform authorization based on user’s role.
An Organization can have a requirement to perform the authorization before issuing SAML assertion. For example, Organization wants to enable access to certain Apps only for employees and wants to block access if any Contractor or Vendor tries to access the Apps. I have explained how to utilize Risk-Based Authentication Method to achieve this use case.
There are two ways to configure Risk-Based Authentication:
In this solution, we are going to use the 2nd option i.e. assess and mitigate risk after authentication.
Click here to read more about NAM Risk-Based Authentication.
Try to access the SAML 2 service provider URL (IDP initiated or SP initiated) and log in as non-employee user. You will get Access Denied Page. Here are the logs from IDP Server.
<amLogEntry> 2018-06-07T18:32:21Z DEBUG NIDS Application:
Rule_Employee : false </amLogEntry>
<amLogEntry> 2018-06-07T18:32:21Z INFO NIDS Application: User: contractorTest risk action: DENY risk score: 100 </amLogEntry>
Try to access the SAML 2 service provider URL (IDP initiated or SP initiated) and login as employee user. User will be able to login. Here are the logs in IDP server:
<amLogEntry> 2018-06-07T18:25:52Z DEBUG NIDS Application:
Rule_Employee : true </amLogEntry>
<amLogEntry> 2018-06-07T18:25:52Z INFO NIDS Application: User: employeeTest risk action: ALLOW risk score: 0 </amLogEntry>