Authenticating a user who has just created a new account

We have setup a ComponentSpace SAML 2.0 IdP using the high level API. We have also setup three test websites configured as SPs using the high level API (SAML 2.0). We are using SP-initiated SSO to authenticate. SSO and SLO both appear to be working.

When the IdP receives an authentication request from an SP, it presents a login screen and verifies the user-provided username and password against a NAV database (on a different server).

We plan to add another SP, and this one will be running on a Linux server (using SimpleSAMLphp). When a new customer registers on our site, they will register on the site running on the Linux server. The customer’s data will be stored on the Linux server, and then synced to the server that hosts the NAV database (the one we use for authentication). The synchronization will not happen immediately (it could take up to five minutes). When a customer creates a new account, it is normal for the customer to be authenticated when the account is created – he should not have to authenticate immediately following the registration process. Since this data will not be in NAV immediately, the IdP will not be able to verify authentication as it normally would.

Is there a built-in way to handle this scenario? When a customer creates a new account, is there a way to “tell” the IdP that the user is authenticated?

There isn’t anything in the SAML specification or our component to handle this scenario. The provisioning of users into the IdP’s database is something outside the SAML specification. Ideally the provisioning into the NAV database would occur at the same time the user registers on the Linux server (eg via a REST API call to the IdP). The only other way I can think of doing this is for user registration scenarios the Linux server is acting as the IdP and your IdP acts as the SP. The Linux server could then send a SAML response to your IdP (acting as an SP) and provision the user with information contained in the SAML assertion. However, this is a lot more involved and a simple REST API call from the Linux server to your IdP sounds a lot more straight forward.