How to access the AssertionConsumerServiceURL from the AuthnRequest in a custom MFA flow

Marc Jay marc.jay at taskize.com
Thu Apr 16 14:07:41 EDT 2020 

> I'm not following... You're running a SAML proxy (otherwise why would
> your IDP config be relevant to IDP selection?) and your IDP is the only
> one known to the protected services and in turn (as a SAML SP) relies
> on upstream IDPs for the actual authentication?
>
> How can you determine the IDP the subject should be sent to based on
> the subject's email address if the subject hasn't authenticated at an
> IDP to assert that email address to you in the first place?

Hi Peter,

Thanks for your response.

Apologies I wasn’t clear – our IdP and those of our clients who use SSO are known to our SP. We are a multi-tenanted SaaS application. Most of our tenants use our IdP for authentication, but some use their own Azure Active Directory/Okta etc. IdP. Our SP is configured with the metadata of all the involved IdPs. If a client uses IdP-initiated SSO, our IdP is not involved at all. However, if they go directly to our application, the SP doesn’t have enough information to know which IdP that user should go to (IP address is not enough), so sends everyone to our IdP, which presents an email address entry field as the first stage in the login flow. User enters their email address, and we look it up and act based on the email domain. E.g. Client A will use our IdP so user at client-a.com<mailto:user at client-a.com> will proceed to enter a password, but Client B uses their own IdP, and so entering user at client-b.com<mailto:user at client-b.com> will redirect to our SP (session initiator URL), specifying the entity ID of Client B’s IdP as the URL parameter, for them to log into their IdP and return.

We don’t need to trust the email address at that stage, if a malicious user enters a client-b.com email address, they will fail to authenticate over at Client B’s IdP and get no further

Kind regards,

Marc
Taskize Limited registered address 33 Cannon Street, London, EC4M 5SB. Registered in England No. 7921239. This message may contain information that is privileged or confidential. If you are not the intended recipient please delete it and inform the sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200416/edd24078/attachment.html>

More information about the users mailing list