I am working with a client who is IDP and our application is SP.
The client has not provided SingleSignOnService location. Is it necessary for SP to know the location or SSO can work without that?
With a SAML 2.0 Unsolicited Web SSO event, there is no AuthnRequest generated by your SP, therefore you do not need the SSO endpoint of the IDP.
Related
I have SSO configured between IDP (ADFS) and SP, and IDP generate SAML token and post to the SP page for authentication. But, I like to create a new application called test-app, and this app should programmatically generate/extract SAML token for IDP and SP by using a pop up login window.
Is it possible?
After I get the SAML token, I intent to use it on a REST webservice of the SP.
The SAML flow requires the SAML token to be generated by the IDP.
The IDP has the private key to sign the SAML token.
You can generate one in your app. but you won't be able to sign it correctly and there is no flow to send it to the IDP.
I know how SAML works and i know how SSO works. My understanding of SSO is that IDP creates a cookie in IDP domain (and other domains can not access the cookie) and uses it to authenticate user.
SAML protocol itself doesn't talk anything about SSO. I get confused when they mix SAML with SSO. For eg : IDP initiated SSO etc.
As per my understanding SSO is implemented independent of SAML (using cookie). Please correct me if i'm missing something.
I've implemented Identity Server 3 with SAML based on this example: https://github.com/Sustainsys/Saml2/tree/master/Samples/SampleIdentityServer3
Everything is working, but the SAML Identity Provider (DigiD) requires reauthentication. This is done by sending the SAML AuthnRequest again.
Does anyone know how the SAML AuthnRequest can be send again from Identity Server 3? I've tried to use refresh tokens, but this doesn't seem to trigger another SAML AuthnRequest.
There are two parts required here
Get IdentityServer3 initiate another authentication request with the Sustainsys.SAML2 module.
Optionally set the ForceAuthn flag in the created AuthnRequest to the SAML2 Idp, to instruct it to actually reauthenticate and not rely on an existing session (don't remember if the library supports it).
I am working on SAML2.0. One of our clients(IDP) requested us (SP) to have SP initiated requests without sending AuthnRequest.
Instead of sending AuthenRequest they have asked us(SP) to send a parameter on the URL that can tell them that the request has come from the designated SP. Is it an industry standard to implement SP initiated requests without having AuthnRequest parameter?
I would actually call this IDP initiated, as from the viewpoint of SAML, the IDP sends the first message. IDP initiated is part of the standard, so it does not break SAML.
But if you are going to have the SP tell the IDP to start authentication I would consider it bad practise not to have the SP start this by using a SAML AuthnRequest.
This would be a more interoperable approach making it easier to use standard SAML product without the need for customizations.
No it's not. However, from our experience, some IdPs do not support SP-initiated SSO. Instead, they require a redirect to the IdP including a parameter that identifies the SP. This then will trigger IdP-initiated SSO to the SP. This is not covered by the SAML v2.0 specification and therefore the format of the URL including the parameter name etc is not standardized.
I suggest double checking with the IdP to see whether they do support SP-initiated SSO as per the SAML specification. Perhaps they simply haven't enabled this support. If they don't then you're only option is to use this non-standardized approach.
I am using SAML based SSO for my application where IDP role is played by OpenAM. I have tested SP based SSO,SLO and IDP based SSO, all are working fine, but IDP based SLO is not working, when a user is logging out of IDP, I am getting a notification in my SP, but this request do not contain any user information or browser cookies, so wondering about two things:
Is these notification happening back channeled?
If not, how can I fetch my SP side session and invalidate when such notification comes?
also if their some sample implementation available in Java?
the request flow depends on the profile being used / configured ... see SAML profile spec section 4.4.
It's up to the SP how the SLO is handled, e.g. Spring Security based SAML SP has a bug where the local session is not clean up correctly (if you use this see my workaround on Spring JIRA).