Recently I was tasked with allowing our existing customers to navigate to a third party website after login with our system. It was obvious that the solution would implement SAML, but I started work on this task with no previous information/experience with SAML.

• There is a difference between IdP initiated SSO and SP initiated SSO. IdP initiated is when the IdentityProvider initiates an SSO response directly to a consumer assertion endpoint. Jump cloud is a good example of this.

    SP Initiated is when a Service Provider initiates the request -> IDP -> IDP login if not logged in -> back to      SP resource
  

• Subject confirmation method needs to be: <saml2:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>. This means that the SP will not do any extra validation on the subject and will trust the SAML Response containing the information
• A signature value and a digest value must be present in the SAML Response. This can be done by loading
• You must submit the SAMLResponse as base64 encoded hidden field “SAMLResponse” in a form post request
• var form = document.createElement(“form”);
• form.setAttribute(“method”, “POST”);

• form.setAttribute(“action”, $scope.url);

• var hiddenField = document.createElement(“input”);
• hiddenField.setAttribute(“type”, “hidden”);
• hiddenField.setAttribute(“name”, “SAMLResponse”);

• hiddenField.setAttribute(“value”, $scope.response);

• form.appendChild(hiddenField); document.body.appendChild(form); form.submit();

• SubjectConfirmationData Recipient field must be set. It ensures that only the recipient specified can validate this assertion.