IdP-initiated SSO (IdP-first)

1,357 views
Skip to first unread message

Scott Cline

unread,
Feb 18, 2011, 4:28:13 PM2/18/11
to simpleSAMLphp
Hello,

I'm a service provider with a client that wants to initiate the SSO
for access to our service. I started testing by installing
SimpleSAMLphp and setting up an IdP and a SP and that works. To fully
test the IdP-initiated SSO, I need to authenticate a user and then
create and send the assertion data via HTTP to the SP. Can
SimpleSAMLphp be used for that? If so, how do you configure the IdP
to do that?

My next question is about how the SP will process that SSO request
from the IdP. It looks like the IdP will specify the RelayState which
will redirect the user to the RelayState page after successful
processing of the SSO request If the SSO request is processed
successfully, then the user is sent to the RelayState page I can use
the SP API to access the attributes and determine of the user is
authorized to use the service. However, if the SSO request fails for
some reason, the user is never redirected the RelayState page but left
on a SimpleSAMLphp error page. Since the IdP is initiating the
request, the SP needs to be "activated" in both the success and
failure cases of processing the SSO request. Am I missing something
that will make this work?

Thanks!

--Scott Cline

Brian Mathis

unread,
Feb 18, 2011, 5:10:31 PM2/18/11
to simple...@googlegroups.com


1) The docs on the site discuss this directly:
http://simplesamlphp.org/docs/1.7/simplesamlphp-idp#section_11

2) The SP does not see RelayState, as far as I know, that's for the
IdP to know where to send the user after authentication. All the SP
sees is an incoming SAML Assertion. The only caveat is that your SP
must be able to handle an unsolicited assertion, as opposed to trying
to match it up with a previous session. I'm new at this but that
doesn't seem to be a problem.

I'm running the same setup as you, using SimpleSAMLphp as the test
IdP, and Shibboleth as the SP. I setup simplesaml following those
docs, and it all works fine.

Scott Cline

unread,
Feb 18, 2011, 5:58:31 PM2/18/11
to simple...@googlegroups.com
Thanks Brian. I had fiddled with the IdP-frist section of the docs a bit but couldn't make it work. More fiddling, however, did finally get me there. The entityid it was looking for was the metadata key in the IdP's saml20-sp-remote.php file.

--Scott

On Feb 18, 2011, at 3:10 PM, Brian Mathis wrote:

> 1) The docs on the site discuss this directly:
> http://simplesamlphp.org/docs/1.7/simplesamlphp-idp#section_11
>
> 2) The SP does not see RelayState, as far as I know, that's for the
> IdP to know where to send the user after authentication. All the SP
> sees is an incoming SAML Assertion. The only caveat is that your SP
> must be able to handle an unsolicited assertion, as opposed to trying
> to match it up with a previous session. I'm new at this but that
> doesn't seem to be a problem.
>
> I'm running the same setup as you, using SimpleSAMLphp as the test
> IdP, and Shibboleth as the SP. I setup simplesaml following those
> docs, and it all works fine.
>

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>

Reply all
Reply to author
Forward
0 new messages