Written by Rachana Sharma, Associate Tech Lead, Powerupcloud Technologies
Identity management plays an important role in any kind of a chatbot Application today to authenticate a user. Chatbots are used widely for fetching user level details & data, which is fetched in realtime from an ERP or a CRM application. Thus security & identity management is a fundamental part of such chatbots to ensure relevant information is fetched.
SAML(Security Assertion markup language) is an SSO(single sign-on) protocol is one such protocol & one of the most adapted ones for Identity Management. It is a secure XML based communication mechanism to communicate identities between organizations. Primary use-case where we use SAML is internet SSO, which eliminates the need to maintain multiple authentication credentials (passwords) in multiple places and hence ease the access and increases security from any type of breach, which may happen due to identity theft and fishing.
- IDP(Identity Provider): Organisation that maintains the directory for a user and an authentication mechanism.
- SP(Service Provider): Organisation of the host the targeted service.
All these entities are inter-related, as the user has an account in IDP. We can think of it as an employee having an account with the employer. the user wants to use an SP (particular application like chatbot application) while IDP and SP are related as they want to federate identities.
The way SAML work:
SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents.
- User Accesses the chatbot on the portal or maybe through a URL
- The application identifies the user’s origin (by application sub-domain, user IP address, or similar) and redirects the user back to the identity provider. Federate identity software running at IDP kicks into action and validates a users identity
- Constructs a specially formatted message which has information about the user, called claims. Claims can have info like username, email etc. To do this IDP may rely on an Account Attribute store( a common example of this can be the AD).
- The message is signed using an X.509 certificate, and IDP then posts this information to the service provider.
- SP determines that the message has come from a known IDP, and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint and creates a session specific to the user in the targeted application and allows direct access to the user.
When a user interacts with the chatbot, all that is visible to them is a click on the chat icon and they are able to interact with the chatbot.
How a basic chatbot application works and why we need authentication here:
Users on a chatbot application access the bot via a channel, which could be a mobile or a web browser or even Social Media based channels. For any channel access, UI transfers the user request to the bot’s back-end At the back-end, the user’s request is processed with Natural Language Processing and machine learning algorithms. The NLP returns the intent based on the user query and then fetches the data from the client APIs. If the query does not need the user to be authenticated, such as a static query response.
Following are the steps to identity Management using SAML for a chatbot application:
- REST APIs
Let us take a sample flask bot application.
from flask import Flask,request
app = Flask(__name__)
return “Hello World!”
bot_request = request.json[“user_request”]
user_id = request.json[“user_id”]
response = ml_logic.process(user_id,bot_request)
if __name__ == ‘__main__’:
1. We will host this flask app as Service Provider for ADFS authentication. We have used Python3-saml demo-flask module to provide SAML support to out back-end Flask app. After setting up this library, combining both flask apps and hosting it with https will give us our SP URL.
- We have used ADFS as IDP here. After we get SP, we need this Service provider URL to be configured as Trusted Relying party in ADFS of the client.
- Once set up of Relying party trust is done, all we have to do is to provide IDP and SP related details in settings.py file present in python3-saml/demo-flask/saml.
- SP information is the information about the flask app you have hosted.
- We can get IDP information from ADFS Federation Metadatafile(https://server/FederationMetadata/2007-06/FederationMetadata.xml) provided by the client.
Please note that the highlighted text will vary as per your environment.
Below is some screenshot for the ADFS setup with the chatbot.