IDP Initiated SSO

Cantor, Scott cantor.2 at
Tue May 17 16:14:24 EDT 2016

On 5/17/16, 3:01 PM, "users on behalf of Steve White" <users-bounces at on behalf of steve at> wrote:

>We are currently using Shibboleth SP.  I have been tasked with setting up IDP Initiated SSO.  At least that is the term being used.  The expectation is that an already authenticated user, from a third party IDP, so no existing session, be able to access a resource and establish a session without having to redirect back to their IDP.  So sending authentication information along with the resource request.  I guess this is in place of a deep link, which I understand would redirect back to the IDP, see that you are authenticated then redirect you to the resource.

Yes. It's rather unusual for anybody operating an IdP to *ask* for this, and if they do, they must have something against their users and want to cause them hassles and annoyance.

>I am struggling with finding the right documentation, most likely because of the use of only SP not IDP, and thus am struggling with how to implement this.  Any help getting me started would be greatly appreciated.

Some SPs require special configuration to handle it, Shibboleth does not, so that's why there is no documentation about it for the SP. There's nothing to configure, unless as an SP you wanted to specifically *not* support regular SSO and only accomodate IdP-initiated, in which case some settings that might normally be used might not be, like actively requiring a session for access to certain content.

-- Scott

More information about the users mailing list