Zoho Help SP claims no metadata
Christopher Bongaarts
cab at umn.edu
Wed Jun 17 16:52:15 UTC 2020
On 6/16/2020 7:06 PM, Baron Fujimoto wrote:
> I'm afraid I'm missing something fundamental that I'm not picking up
> from the documentation or from this thread. Given that endpoint, and
> assuming it may require some additional parameters such as target and
> perhaps providerId, where does it *go*? I mean, I think I get that
> /idp/profile/SAML2/Unsolicited/SSO just exists, but how do you tailor
> any specific options to a particular SP?
For SP-initiated SSO, the user typically clicks a link that takes them
to the SP's site. The SP decides the request requires authentication,
and sends the user to the IdP based on the SSO endpoint in the metadata,
with a SAMLRequest included as a parameter. The SAMLRequest includes
details like who the SP is, which ACS URL to use, etc. There may also
be a RelayState parameter that the IdP is expected to send back with its
response.
For IdP-initiated SSO (the "unsolicited" endpoint), the user clicks the
.../Unsolicited/SSO link, which takes them to the IdP. The parameters on
that link include the data that would have been in the SAMLRequest, such
as the requesting SP (providerId) and ACS URL (shire), or the RelayState
(target).
In higher ed, we tend to like SP-initiated, as our users frequently go
directly to the SP sites. The IdP-initiated method makes more sense in
corporate intranets, where you first log in to your intranet, and only
then get the links to the various services you can use. The IdP SSO
link would be one of those links on your intranet page.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list