Solicited and Unsolicited

Nate Klingenstein ndk at
Wed Apr 3 18:55:06 EDT 2019


Thank you so much for sending out this email, which clarifies a lot.

> The conversation was to not have a dual login scenario where the users 
> are required to LDAP auth to access the landing page then login again at 
> our IdP login page.  The question was asked, could we send something to 
> the IdP that indicates the user has already logged into a "trusted" 
> system, and act like they did an IdP auth and still pass a SAML response 
> to the said SP that they chose off that original landing page.

So in effect, they want to act as a login handler for your IdP.  You could in theory accomplish this if you were willing to write a mechanism in the application capable of itself securely exposing the user login session along with developing a Rube Goldberg MFA script and a few other things.

I would sooner end up in the dual login scenario, honestly.

> Not saying this is a good approach, I've just been charged with 
> information gathering.
> I will also look at the SAML ECP that was mentioned.

I'm afraid this one won't help, if I've understood you correctly now.

Take care,

More information about the users mailing list