My Profile Photo

Cory Kelly

CoryPlusPlus - Cory with classes

A blog documenting solutions to some interesting problems

IdP Initiated SSO

Recently I was tasked with allowing our existing customers to navigate to a third party website after login with our system. It was obvious that the solution would implement SAML, but I started work on this task with no previous information/experience with SAML.

alt text

  • There is a difference between IdP initiated SSO and SP initiated SSO. IdP initiated is when the IdentityProvider initiates an SSO response directly to a consumer assertion endpoint. Jump cloud is a good example of this.

      SP Initiated is when a Service Provider initiates the request -> IDP -> IDP login if not logged in -> back to      SP resource
  • Subject confirmation method needs to be: <saml2:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>. This means that the SP will not do any extra validation on the subject and will trust the SAML Response containing the information
  • A signature value and a digest value must be present in the SAML Response. This can be done by loading
  • You must submit the SAMLResponse as base64 encoded hidden field “SAMLResponse” in a form post request
  • var form = document.createElement(“form”);
  • form.setAttribute(“method”, “POST”);
  • form.setAttribute(“action”, $scope.url);

  • var hiddenField = document.createElement(“input”);
  • hiddenField.setAttribute(“type”, “hidden”);
  • hiddenField.setAttribute(“name”, “SAMLResponse”);
  • hiddenField.setAttribute(“value”, $scope.response);

  • form.appendChild(hiddenField); document.body.appendChild(form); form.submit();

  • SubjectConfirmationData Recipient field must be set. It ensures that only the recipient specified can validate this assertion.
comments powered by Disqus