A roadmap for ensuring SAML authentication using Identity server for on- premises and cloud

Sammanfattning: Cloud-based applications especially SaaS applications have become essential for startups and various sized businesses. Adapting to these web applications helps to reduce operational costs and further provide flexibility in accessing individual data of the users. On the other hand, usage of these cloud services poses security-related issues such as authentication, authorization, web application security. Additionally, if the on-premises application is moved to the cloud then the traditional Identity solutions will not work, which affects the user authentication. This thesis considers ‘Authentication’ as one of the main security issues to be addressed. Thus, a new federated Identity and Access Management (IAM) system needs to be realized, which can be used for both on-premises and cloud to authenticate users correctly and securely. To meet the described challenges within the cybersecurity domain, this thesis focuses on two aspects of IT Security: 1) SaaS application rely on IAM; 2) IAM for securely authenticating users. This thesis work addresses both these aspects in two parts. First, by developing a SaaS web application that includes an authentication module with the support of the SAML 2.0 standard protocol. Second, the use of open source WSO2 IAM server for authenticating the users securely. To implement a SaaS application, a play framework PAC4j security library is used to support SAML SSO profile for authenticating users. The profile provides functionality for the two scenarios: SAML- Service provider and SAML- Identity Provider. The developed SaaS application acts as a service provider while WSO2 identity server acts as an Identity Provider. The SAML request-response authentication workflow between these providers are verified to prove the correctness and security of user login information. The research presented in this thesis is helpful for startup companies, that are initially looking to minimize application cost that works both on-premises and cloud without compromising on the security of user’s login information.