IDP initiated SSO

Cantor, Scott cantor.2 at osu.edu
Tue Aug 7 23:28:56 EDT 2012 


On 8/7/12 4:21 PM, "Susan Forr" <susan_forr at hotmail.com> wrote:

>I found a person trying to implement a similar use case.
>http://stackoverflow.com/questions/4998017/idp-initiated-web-sso-profile-u
>sing-java-and-saml-2-0?answertab=active#tab-top

Yes, but that doesn't change anything. That person probably went off and
tried to implement their own IdP and I can pretty well promise how that
went.

> 
>I know this is not the typical usecase for and IDP initiated SSO.

It's not a use case covered by the standard at all, so there is no
explicit support for it.

> The IDP expects the user to authenticate with it. But this is not the
>case for us.

That's a choice. Change the choice and you fix the problem. The old joke
about the man telling the doctor it hurts when he bends his elbow applies.
Don't do that.

But as I told you once already, if you want to authenticate to the IdP but
do so via a third web site, that's a SSO protocol. I don't know how else
to explain that to you. If you look at any SSO specification you would see
that what you're trying to do in that step is exactly the same thing. So
the IdP would require you to layer that SSO mechanism around it such that
it gets the user's identity via that mechanism.

If you search around for examples of people using CAS and Shibboleth or
pubcookie and Shibboleth together, that is analagous.

> 
>My question is...can Shibboleth IDP make it easier for me to implement
>this use case or do I need to write my own SAML assertion provider.

Is it easier to write some glue code around the IdP than to implement an
entire IdP? Yes. That doesn't mean we can really tell you how to do it,
your use case is going to be too particular to your environment to do that.

> It would be great if I could use Shibboleth IDP to generate the
>assertion.

The IdP isn't a service you can invoke to do that except in the ways the
standard defines. You would have to bridge to those interfaces in some
way, as Paul said, or you would have to yank out components from the code
base to implement your own interface to it. Either requires deep knowledge
of both Java and SAML.

-- Scott

More information about the users mailing list