Recently I was tasked with allowing our existing customers to navigate to a third party website after login with our system. It was obvious that the solution would implement SAML, but I started work on this task with no previous information/experience with SAML.
There is a difference between IdP initiated SSO and SP initiated SSO. IdP initiated is when the IdentityProvider initiates an SSO response directly to a consumer assertion endpoint. Jump cloud is a good example of this.
SP Initiated is when a Service Provider initiates the request -> IDP -> IDP login if not logged in -> back to SP resource
- Subject confirmation method needs to be: <saml2:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>. This means that the SP will not do any extra validation on the subject and will trust the SAML Response containing the information
- A signature value and a digest value must be present in the SAML Response. This can be done by loading
- You must submit the SAMLResponse as base64 encoded hidden field “SAMLResponse” in a form post request
- var form = document.createElement(“form”);
- form.setAttribute(“method”, “POST”);
- var hiddenField = document.createElement(“input”);
- hiddenField.setAttribute(“type”, “hidden”);
- hiddenField.setAttribute(“name”, “SAMLResponse”);
form.appendChild(hiddenField); document.body.appendChild(form); form.submit();
- SubjectConfirmationData Recipient field must be set. It ensures that only the recipient specified can validate this assertion.