IdP-Initiated with Office 365
Nate Klingenstein
ndk at sudonym.me
Fri Sep 7 22:51:25 EDT 2018
Kevin,
I suspect that something like the below would work, but I don't have an
account nor an IdP I can use to test it with.
https://idp.host.here/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Bfederation%3BMicrosoftOnline&target=https%3A%2F%2Fportal.office.com%2F
Federated identity in general means fewer logins(but as many or more
sessions total) but the number of logins does not depend on whether the IdP
or SP initiates the process. The number of logins depends on the IdP's
session management and whether a current session exists for the user that
satisfies a request issued by the SP.
Unsolicited SSO may obviate the need to do IdP discovery, which would be
the only reduction in required user interaction. That's a win, but
unsolicited SSO comes with other trade-offs. You may need to end up
supporting IdP discovery and SP-initiated SSO for Microsoft's native
applications anyway. It's worth reading through this Wiki article.
https://wiki.shibboleth.net/confluence/display/IDP30/UnsolicitedSSOConfiguration
The only data transmitted in the assertion is the user's objectGUID and a
mysterious identifier known as IDPEmail, and the SAML assertion itself
would be considered the credential from the SP's point of view. Most of
the heavy provisioning lifting is done by the descendant of DirSync.
Hope this helps,
Nate.
On Fri, Sep 7, 2018 at 10:40 PM, Kevin <kevin at thenext.net> wrote:
> How would one use IdP-Initiated SSO with Shibboleth and Office 365? In a
> university settings would this not be fewer logins? Would their be a URL
> nomenclature that one would use to pass the credentials to the SP?
>
>
>
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180908/f4a46e81/attachment.html>
More information about the users
mailing list