IdP initiated SAML SSO

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP initiated SAML SSO

Colm O hEigeartaigh
Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
support IdP initiated SAML SSO as well.

I have got this working in an interop test with Okta, by commenting out the
RelayState processing, and removing passing
relayState.getJwtClaims().getSubject() through to the validation process.

Any thoughts on how best to handle this scenario? Add a configuration
switch to allow the IdP initiated flow for a given IdP?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: IdP initiated SAML SSO

ilgrosso
Administrator
On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
> Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
> support IdP initiated SAML SSO as well.
>
> I have got this working in an interop test with Okta, by commenting out the
> RelayState processing, and removing passing
> relayState.getJwtClaims().getSubject() through to the validation process.
>
> Any thoughts on how best to handle this scenario? Add a configuration
> switch to allow the IdP initiated flow for a given IdP?

Hi Colm,
the relay state processing and validation could be optionally disabled
according to some switch passed to the Agent by the IdP itself (as a
request param, for example) and then added by the Agent into the REST
call which ends up in SAML2SPLogic.

Having a further setting for IdP conf to explicitly authorize
IdP-initiated scenarios makes sense too, to me.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: IdP initiated SAML SSO

Colm O hEigeartaigh
Thanks for the feedback, let me experiment with this and get back to you.

Colm.

On Thu, Aug 17, 2017 at 2:15 PM, Francesco Chicchiriccò <[hidden email]
> wrote:

> On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
>
>> Currently, Syncope only supports RP-initiated SAML SSO. It would be nice
>> to
>> support IdP initiated SAML SSO as well.
>>
>> I have got this working in an interop test with Okta, by commenting out
>> the
>> RelayState processing, and removing passing
>> relayState.getJwtClaims().getSubject() through to the validation process.
>>
>> Any thoughts on how best to handle this scenario? Add a configuration
>> switch to allow the IdP initiated flow for a given IdP?
>>
>
> Hi Colm,
> the relay state processing and validation could be optionally disabled
> according to some switch passed to the Agent by the IdP itself (as a
> request param, for example) and then added by the Agent into the REST call
> which ends up in SAML2SPLogic.
>
> Having a further setting for IdP conf to explicitly authorize
> IdP-initiated scenarios makes sense too, to me.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com