DEV Community: Sheshbabu

Visual explanation of SAML authentication

Sheshbabu — Fri, 26 Jun 2020 04:33:25 +0000

SAML (Security Assertion Markup Language) is the most commonly used authentication protocol and SSO solution in enterprises.

What is SSO?

To put it simply, it's the enterprise equivalent of the "Login with Google" or "Login with Facebook" buttons we see in apps around the internet. We register an account initially in Google or Facebook etc and use that account to login to other apps like Spotify, Netflix, Zoom etc. We do this to avoid maintaining multiple username/passwords. Similarly, enterprises maintain a single user management system and employees use their corporate account to login to third-party services like Salesforce, Workday, Expensify etc without creating separate accounts or remembering multiple passwords. This is called SSO (Single Sign On) and SAML is the de facto enterprise SSO solution.

Participants

There are 3 main participants involved in the SAML authentication flow:

Identity Provider (IdP)

This is the centralised user management system that we talked about earlier. This server is responsible for authenticating the user and passing the user details such as email address, name, department etc to the Service Provider. Popular identity providers are Azure AD, Auth0, Onelogin, Okta, G Suite etc.

Service Provider (SP)

This is the application that trusts the IdP and wants to use it for authentication. Examples: Salesforce, Workday, Expensify, $YOUR_AWESOME_APP etc

Principal

This is the user who's trying to log into the SP via the IdP.

Authentication Flows

There are two common ways for an user to access SP:

IdP initiated login:

The user goes to the IdP first and is shown a list of SP they have access to. Upon choosing an SP from that list, they're redirected to that SP.

SP initiated login:

In this flow, the user goes to the SP's website first. If the user doesn't have an active session with the SP, the user is redirected to the IdP for authentication. Upon successful login, the user is redirected back to the SP. We'll be discussing this flow in detail.

SP initiated Flow:

Let's talk about the flow from the user's perspective.

The user goes to the SP's website. If the user is not logged in, it shows a "Login with SSO" button
Upon clicking the login button, the user is redirected to the IdP's website where they're asked to submit their credentials
Upon successful login, the user is redirected back to the SP's website where they can perform their work

Now, let's zoom in a bit and understand what happens behind the scenes:

SP checks for active session
SP sends AuthnRequest to IdP
IdP authenticates the user
IdP sends SAML Assertion to SP
SP creates session and logs in user

SP checks for active session

SAML doesn't maintain sessions, so SP needs to maintain sessions for each authenticated user. When a user visits the SP website, it checks whether the user has an active session with it. If an active session exists, the user can enter the website otherwise a "Login with SSO" button is shown.

SP sends AuthRequest to IdP

When the user clicks on the "Login with SSO" button, the SP generates a XML message called "AuthnRequest" with details about who's sending the request (Issuer), where to redirect to after the user is authenticated (Assertion Consumer Service url) and security measures (ID, IssueInstant). Here's an example AuthnRequest XML.

This XML is encoded into a url-safe string, embedded as query param in a request to IdP and the user is redirected to this IdP url:

https://idp.com/SAML2/SSO/Redirect?SAMLRequest=EncodedAuthnRequest

IdP authenticates the user

IdP maintains its own session about the user and if an active session exists for the user, the user is redirected to SP. If a session doesn't exist, the user is asked to enter their credentials. The IdP can choose how to authenticate the user - can be Username/Password, TOTP, MFA etc.

IdP sends SAML Assertion to SP

Once the user is successfully authenticated, IdP sends back an XML message called "SAML Assertion" to the SP's Assertion Consumer Service url. This contains the user's details such as name, email, department etc and security measures (InResponseTo, IssueInstant). It's also digitally signed so the SP can trust that the message is indeed from IdP and login the user into their system.

SP creates session and logs in user

The user is now successfully logged in to the SP's website! The SP will create a session for the user so the user can be automatically logged in the next time they visit the website.

Conclusion

Hopefully this post is able to give you a high level overview of SAML authentication and how the SSO works.

Originally posted in sheshbabu.com

Thanks for reading! :)

Minimal Viable Search using Postgres

Sheshbabu — Sun, 01 Dec 2019 10:54:05 +0000

If you’re building a product, you might have deprioritized building the search feature thinking that it might take a long time to build. If you happen to be using Postgres, let me show you a quick and easy way to implement the search functionality.

Test drive

Let’s say you’re building an ecommerce app and you want to be able to search on the product descriptions. This can be done using the following query:

SELECT
  *
FROM
  products
WHERE
  to_tsvector(description) @@ websearch_to_tsquery('chocolate milk') = TRUE

If you have a test database lying around, you can quickly try this out by replacing the table name, column name and search query. If you're using Postgres 10 or below, "websearch_to_tsquery" won't work. use "plainto_tsquery" instead.

Now, you might be having a lot of questions like:

"to_tsvector", "websearch_to_tsquery", "@@" look weird!
How's this different from "LIKE"?
How to make this faster?
What are the tradeoffs compared to ElasticSearch?

ts_what?

"ts" stands for Text Search.

At the very minimum, you need to only learn four things:

Use "to_tsvector" function on the columns you're searching on
Use "websearch_to_tsquery" function for the search query
Use the match operator "@@" to see if the above two match
Use "ts_rank" function to sort the results based on relevancy

In simple terms, to_tsvector breaks down text into list of keywords and their positions. Running

SELECT to_tsvector('A journey of a thousand miles begins with a single step');

gives

'begin':7 'journey':2 'mile':6 'singl':10 'step':11 'thousand':5

Notice that the words "A", "of" and "with" are removed as they're not useful in searching, the word "single" is normalized to its root form "singl" so it appears in more searches, the word "miles" is reduced to its singular form. This also takes care of normalizing the text to lowercase and removing special characters.

The function websearch_to_tsquery converts the user submitted search term into something that Postgres can understand. You can use Google style search queries like

jaguar speed -car

ipad OR iphone

"chocolate chip" recipe

You can also try other query functions like "plainto_tsquery" or "phraseto_tsquery" which have their own way of parsing the search queries.

The @@ operator matches the above search query with text from column. You can also use the || operator to concatenate multiple columns together and search on them.

The function ts_rank is used for sorting the search results by relevancy. The way it determines relevancy is by looking at how frequent the search terms appear, how close together they appear, in what position they appear etc.

By now you should have a good idea about how this is different from normal LIKE or pattern matching.

Making it faster

Instead of building tsvectors everytime we query using to_tsvector, we can store it in a separate column when the record is created/updated. For this, we create the following trigger:

CREATE OR REPLACE FUNCTION fn_on_product_insert_store_tsv() RETURNS trigger AS
$$
BEGIN
  NEW.tsv := to_tsvector(NEW.description);
  return NEW;
END;
$$
LANGUAGE 'plpgsql';   

CREATE TRIGGER trg_on_product_insert_store_tsv
BEFORE INSERT OR UPDATE ON products
FOR EACH ROW
EXECUTE PROCEDURE fn_on_product_insert_create_tsv();

Let's also add an index on this column to make the queries faster:

CREATE INDEX tsv_idx ON products USING gin(tsv);

This should greatly speed up your seach queries.

Comparison to ElasticSearch

ElasticSearch is synonymous with product search these days so you need to be aware of the tradeoffs:

When Postgres is better than ElasticSearch:

One less dependency to manage or get approval for
Faster time to market - can see how your users are using search and decide if you need to use ElasticSearch for more sophisticated search features
There's a single source of truth for the data - no need to keep multiple datastores in sync

When ElasticSearch is better than Postgres:

If your team already has expertise in ElasticSearch
Scale search queries seperately from normal database queries
You need support for facets. Here's a simple implementation of facets in Postgres
More flexible and sophisticated search features

Follow me on Twitter ❤️

Career advice for new developers

Sheshbabu — Sat, 30 Nov 2019 05:56:53 +0000

Hello, my name is Shesh and I've been working in this industry for more than 10 years. I've been meaning to write this post for a very long time - not only for others but also for what I wish I was told when I first started working as a developer. Hope you find this useful! 😊

Take care of your health ❤️

Software development is not a physically demanding work like farming or factory work, but you are spending a lot of hours sitting and starting at a screen.

You might be healthy now but unfortunately, as you age, your vision gets blurry, your wrists or back start hurting etc.

This might not happen to everyone - There are plenty of developers who are in their 40s, 50s and above without these issues, but why take chances?

Take a break from work now and then. Earth will still be spinning after you return from break 😂

Learn the basics 🧱

There is a huge gap between what's taught in universities and how we work in the industry. Unless you're lucky, you don't learn about how to use a debugger, source control, terminal, regex etc when you start your first job.

Make time to learn about these foundational concepts as you go about your job. It'll be useful for your entire career 👍

Tools don't make you better 🛠

Using Vi/Emacs doesn't make you an awesome developer. Similarly, using Sublime Text or Notepad++ doesn't make you a bad developer. Same applies for languages, frameworks etc.

If you can complete your tasks and feel productive with the tools, continue using it. Don't tie your self worth with the tools you use.

Don’t outsource your decisions 🧟‍♀️

Don't blindly do something just because Google/Facebook/etc are doing it.

Each software project is different in terms of scope, business value, people involved, their skills, how long the project is going to be maintained etc.

Engineering is all about tradeoffs. Ask yourself: in which context a particular advice makes sense. This is the only way you'll learn.

Examples:

Don't blindly use Kubernetes/Golang/React/Mongo for a static website which can be written in plain HTML and served by a single Nginx box.
If business urgently wants a throwaway website that will be only used for 2 weeks, don't try to build it using TDD etc

Don't be a code monkey 🙈

Your job is not to write code but to solve business problems.

So, when you're given some problems or tasks, try to understand what business problem you're solving. Ask as many questions as needed for you to understand. It's okay 👍

Once you know what you're solving, there are good chances that you can come up with better solutions or solutions that can be implemented faster. Propose these solutions, most of times they'll get accepted. Else you'll be told why your solution won't work in that scenario. In which case, you have learnt something and can make better suggestions in future.

Don’t stop learning 📖

You'll be learning a lot of new technologies and processes now that you're new. But over years, you'll get comfortable and stop learning.

Technology advances super fast. While it's impossible to learn everything new that's coming up, it's better to be aware of the new things that are slowly becoming the industry standard and learn about it when you have free time.

Your peers, leads, managers are all in the same boat. See if you already have learning sessions in your company. If not, you can suggest starting one and most of the time, people will be supportive 👍

Keep notes 📝

Unless you have a really good memory, try to take notes about a particular process, technology, how to do x etc.

Most of the time, we end up doing something that we did 2-3 years back (vertically centre something in CSS 😅, implement login flow, upload a file to S3 etc).

When you have notes, you can reach out to it and implement the solution quickly instead of googling about how to do it and scrolling through pages and pages of StacknOverflow and GitHub issues.

Even better, blog about it so that it also helps others 😊

Follow me on Twitter ❤️