https://github.com/pushpabrol/saml-idp-migration-to-auth0

This repo contains instructions on how to migrate SAML IDP from an platform like PING or Other to Auth0
https://github.com/pushpabrol/saml-idp-migration-to-auth0

Last synced: 3 months ago
JSON representation

This repo contains instructions on how to migrate SAML IDP from an platform like PING or Other to Auth0

• Host: GitHub
• URL: https://github.com/pushpabrol/saml-idp-migration-to-auth0
• Owner: pushpabrol
• Created: 2022-08-04T21:40:46.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2022-08-16T20:50:17.000Z (almost 4 years ago)
• Last Synced: 2025-01-19T04:34:09.911Z (over 1 year ago)
• Size: 8.79 KB
• Stars: 2
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# saml-idp-migration-auth0

This repo contains instructions on how to migrate SAML IDP from an platform like PING or Other to Auth0

## Problem statement

A customer that is using a third party IDP has setup 100s of SAML IDPs/Enterprise Connections. They want to migrate to Okta CIC but do not want to cause any changes for the partners/customers with whom they exchanged metadata to establish the IDP trust. The manual work involved with this setup is very high therefore a migration which allows this to happen with low touch is desirable

## How do we solve this?

  

    

  - The solution involves creating a proxy that runs on the ACS url for the Service Provider (source) and reposts the SAML response to the destination Service Provider

  

  

  

  

  - Flow before routing

    

  - Flow after routing is enabled via the proxy

  ![image](https://user-images.githubusercontent.com/7750618/183534744-6fd08734-e65d-416c-9db8-c4d2a3db2247.png)

  

  

  - Since this solution is in the middle of a SAML Authentication Response there are several key prerequisites for this to work.

    - Prerequisites:

      1. Each SAML IDP has a unique Entity ID

      2. Each SAML IDP has a unique ACS Url for the Source SP

      3. Each SAML IDP is not requiring a Signed Authentication Request from the SP (source) for SP initiated flows

      4. Each SAML IDP does not encrypt the SAML response uisng the public key of the SP (source)

      

      

  ## Source projects that contain the required code for this solution

  

  - The proxy source code that re-routes the SAML Response

    1. For this example we are using cloudflare as the proxy

    2. [Source code](https://github.com/pushpabrol/cf-worker-saml-proxy-externalsp-auth0)

  - The code using the Auth0 Management API to create the IDP/Enterprise SAML Connection

    1. [Source code](https://github.com/pushpabrol/auth0-create-saml-connection)

  - See the README within each project for steps

  - It is important to understand that in Auth0 we are disabling some of the checks such as destination and recipient to allow this to function