Is it possible to hit the IdP login form directly from a browser?

Yaowen Tu yaowen.tu at
Fri Aug 31 22:36:03 EDT 2012


This might be a dumb question, or something that violets to the SAML design
principals. I just want to see how we designed the IdP to treat this use

In a usual way, end user will access a protected page in SP first, and
after some redirection, IdP displays a login page, suppose the login page
is: "https://localhost/idp/Authn/UserPassword". After that IdP establishes
a session with the browser.

What if user directly access ""? I have tried with Shib
IdP, and it shows some error which is what I expected. I just want to know
why this use case is invalid?

Based on my experience with SAML( very limited ), I think it make sense
that user login to IdP first to establish a valid session, then later on he
can access some SP protected resources without entering the password. There
should be some reason that I missed to explain the potential problem for
this approach.

Another related question is, I know there is something called
"IdP-initiated" SSO, which is user hit
*/idp/profile/SAML2/Unsolicited/SSO *directly,
then IdP redirect to a login page. Do we support something like this to
automatically get the user name and password?

I have been thinking about the reason of it. Is it because that SAML
doesn't actually define how IdP authenticate a user? So it is every IdP's
responsibility and interoperability is an issue? What else?

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list