Adding SAML SSO in your Golang service in 20 minutes

It’s really easy

SAML protocol continues to be one of the most used authentication protocols even after almost two decades since the initial release. Although now, some big players in the industry have started to transition to the latest Oauth2 and OpenID Connect. SAML 2.0 still remains the de facto standard for enterprise single sign-on.

At some point in time, every organization needs to protect its services and resources from public access. The way to do it is using Single sign-on service which puts a layer of authentication in front of services by integrating with an Identity Provider. Too many new words?

What is Single Sign-on?

Means you can sign-in once into your google account (or some other) and use the same account in multiple different services which are not owned by Google, without entering username and password again. Here the services put their trust in the authentication system provided by Google.

What is an Identity Provider (IDP)?

Identity provider offers user authentication as a service. In simple words, you can add and manage your user accounts, groups in an Identity Provider which gives you a way to authenticate your users while accessing any of your services.

So how does it happen?

In summary, whenever a user tries to access a website (or a resource) provided by a service provider, the service provider checks whether the user has a valid session with it.

That was a lot to process, mostly because SAML request and assertion are just jargons which we don't understand. Let's dig into these to understand further

SAML Request

SAML Request contains information about the service provider which is trying to get authentication done with IDP. IDP may use this info to verify whether the request is coming from the right source or not.

SAML Assertion

SAML assertion is generated by Identity Provider after the User has successfully signed in.

Assertion contains information about the authenticated user like his email address, department, or any other claims. Since it's signed by the Identity Provider, it acts as a certificate for the user claiming the resource.

The service provider is already aware of the Identity Provider, it can verify the signature applied on the assertion and accept the information present in the assertion.

Ok, that's enough theory, let's do some coding.

This looks fairly easy, you just need to configure it once, then there is no need to care about session management at all. The library does all the handling for you.

Running the program with Azure AD gives the following output

For each identity provider, like Azure, Gsuite, Okta or any other, you will need to configure some parameters

IDP configuration is out of scope for this article. I have added few links for configuring major IDPs in the appendix.

Appendix

Setting up IDP configuration

Related posts:

The youthful pair walked in easy silence, hand in hand beneath a leaden gray sky. The dead, by all appearances unaware of their passing, made little of their presence and afforded no greetings as…

As far back as elementary school, I dreamed of being a writer. I was a voracious reader and inhaled every Judy Blume and Beverly Clearly book ever published. I even wrote poems and outlines of the…

Di zaman yang sudah sangat modern ini manusia memang tidak dapat lepas dari berbagai teknologi canggih, mulai dari kendaraan, smartphone, komputer, alat masak, alat olah raga, serta alat-alat…