Solicited and Unsolicited

[Nate Klingenstein]

Donald,

Thank you so much for sending out this email, which clarifies a lot.

> The conversation was to not have a dual login scenario where the users 
> are required to LDAP auth to access the landing page then login again at 
> our IdP login page.  The question was asked, could we send something to 
> the IdP that indicates the user has already logged into a "trusted" 
> system, and act like they did an IdP auth and still pass a SAML response 
> to the said SP that they chose off that original landing page.

So in effect, they want to act as a login handler for your IdP.  You could in theory accomplish this if you were willing to write a mechanism in the application capable of itself securely exposing the user login session along with developing a Rube Goldberg MFA script and a few other things.

I would sooner end up in the dual login scenario, honestly.

> Not saying this is a good approach, I've just been charged with 
> information gathering.
> 
> I will also look at the SAML ECP that was mentioned.

I'm afraid this one won't help, if I've understood you correctly now.

Take care,
Nate.