IDP Initialized SSO - IdPUnsolicitedSSO

Wed Dec 12 09:12:50 EST 2012

Thanks Scott, very helpful information.

When you say "Better model: go the the second app, repeat usual flow, done."

Would that be something like this:

IDP --> App1 (User logs in as usual)
App1 --> App2 (App1 sends user to App2 with some unique ID that symbolizes authenticated session)
App2 --> IDP (App2 sends AuthN request to IDP using the unique ID provided by App1)
IDP --> App2 (IDP responds with AuthNResponse)
App2 --> Establishes authenticated session and redirects user to target resource

Why do you say IdP initiated a bad thing? Seems that it would simplify this scenario to something like this:

IDP --> App1 (User logs in as usual)
App1 --> IDP (IdP generates AuthNResponse)
IdP --> App2 (Sends AuthNResponse)
App2 --> Establishes authenticated session and redirects user to target resource

Thanks,

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, December 11, 2012 1:30 PM
To: Shib Users
Subject: Re: IDP Initialized SSO - IdPUnsolicitedSSO

On 12/11/12 1:03 PM, "Zmuda, Matthew R" <Matthew.R.Zmuda at td.com> wrote:

>We would now like to expand our usage of shibboleth to support IDP 
>Initiated SSO scenario:

I wouldn't really do that unless you had a good reason, IdP initiated is generally just a bad thing.

>User logs into some application with our IDP validating their credentials
>-         
>They now want to SSO to another application
>-         
>I would like to use IDP Initiated SSO for this

Better model: go the the second app, repeat usual flow, done.

>However I¹m a little confused with the setup. Will adding 
>/SAML2/Unsolicited/SSO effect my current configuration which uses 
>/SAML2/Redirect/SSO?

No.

> The last ³One caveat² statement is what concerns me.

The caveat is that it defeats requiring signed requests. Unless you're changing defaults and requiring signed requests, then it has no impact.

> 
>Are there any sample configurations which demonstrate how IDP Initiated 
>SSO would work?
>I guess what I am not understanding is how I can add in IDP initialized 
>SSO to our existing configuration and what else needs to be setup aside 
>form the addition to handler.xml.

Nothing else. You have to build links somewhere as documented to do the job, that's it. You should absolutely not allow anybody other than you to build those links or you will be establishing a permanent dependency on this proprietary mechanism that you'll have to maintain even in the face of wanting to change software in the future.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.