Federated Identity SAML Options With Google Cloud
This article explains options to authenticate the pricestats application that is running on Cloud Run
First we walk through the simple pricestats application
Application flow —
(1) User enters the URL in browser
(2) User selects Stock and Symbol from dropdown
(3) User clicks submit
(4) Results data page displays selected stock graph
A separate article was created to explain use of Google Identity and OpenID connect with this application
Below sequence diagram explains the OpenID Connect/OAuth flow
(1) User clicks on Login link
(2) Pricestats applications directs the request to authentication server (Google Identify)
(3) User is authenticated with Google Identity and Claims data (Id Token, Access Token, etc) is returned to application
## We will now review using SAML 2.0 for authentication ##
(Reference Signing in users with SAML, Reference architectures)
Option 1 : Google as Identity provider and authoritative source
(1) User clicks on Login link
(2) Firebase javascript directs user to Google Sign-in for authentication (Identity Provider)
(3) Returned SAML response (ACS) is sent to browser and javascript code makes REST API (post) call to pricestats application (service provider)
(4) Pricestats application validates assertion by verifying authenticity (digital certificate) of Identity Provider
Option 2 : Active Directory as Identity Provider and authoritative source
(1) User clicks on Login link
(2) Firebase javascript directs user to Google prompt for email
(3) Google cloud identity redirects call to Active Directory (external Identity provider) — Review link for SML setup
(4) Returned SAML response (ACS) is sent to browser and javascript code makes REST API (post) call to pricestats application (service provider)
(4) Pricestats application validates assertion by verifying authenticity (digital certificate) of Identity Provider
