Cross Browser SSO?

Harald Strack hstrack at
Thu May 9 04:59:19 EDT 2019

Hi Scott,

thank you for the quick answer!

>> Has anyone ever tried to accomplish such a workflow? In short: is there
>> a decent way to achieve a SSO between two browsers or a rich client
>> application and a browser?
> That's what SPNEGO is, desktop authentication.
Yes, we already implemented SPNEGO on the Shibboleth IDP in AD 
environments, this would work. Great Feature for on-campus SSO. However, 
in our CASE there will be no Kerberos available, so we think about a 
more general solution. Let me try to explain another possible (?) 
approach based on a token authentication in a slightly more precise way:

1) The user authenticates in any browser or via ECP and the application 
behind the SP issues a JSON Web Token
2) This token will be saved on the client workstation
3) Then, in the second browser we call a url like 
https://app.any.where?token=<token> and this URL is Shibboleth 
protected, onother SP
4) As described in 
we set a template for the AuthNrequest that contains the JSON web Token 
(example available?)
5) The SP initiates in the second browser an SSO with 
authnContextClassRef "jsonwebtoken"
6) On the IDP we implement an External LoginFLow or Function 
examples available?) that handles the specific authnContextClassRef
7) The Implementation of this Login Flow will verify the  token from the 
AuthnRequest and log the user in

Voila, SSO accomplished. What do you think? Would this be a decent 
working architecture or should we avoid such a solution?



Harald Strack

ssystems GmbH
Kastanienallee 32
10435 Berlin

Tel:     +49 30 2023 6071 - 1

More information about the users mailing list