Have searched for this but didn’t find anything.
Essentially we want the application to authenticate with an IDP via SAML (the SP part) to control access and roles and then call a SAML application via an IDPInitiated call (the IDP part).
If yes, are there any samples showing how to flow between the two?
Yes, this is definitely possible and we have customers doing this now.
I’m afraid we don’t have any examples but it’s fairly straightforward.
The IdP and SP sides of your application are in many ways independent of each other with different endpoints etc.
The flow would be:
1. Acting as the SP, call SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. User logs into the IdP.
3. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response from the IdP.
4. Login the user locally in the application. Possibly save user information in the session etc if required.
5. Acting as the IdP, call SAMLIdentityProvider.InitiateSSO to create and send a SAML response to the SP.
User identity information received from the IdP may be used to create and send the SAML response to the SP.
[quote][/quote]
Yes, this is definitely possible and we have customers doing this now.
I'm afraid we don't have any examples but it's fairly straightforward.
The IdP and SP sides of your application are in many ways independent of each other with different endpoints etc.
The flow would be:
1. Acting as the SP, call SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. User logs into the IdP.
3. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response from the IdP.
4. Login the user locally in the application. Possibly save user information in the session etc if required.
5. Acting as the IdP, call SAMLIdentityProvider.InitiateSSO to create and send a SAML response to the SP.
User identity information received from the IdP may be used to create and send the SAML response to the SP.
I'm afraid we don't have any examples but it's fairly straightforward.
The IdP and SP sides of your application are in many ways independent of each other with different endpoints etc.
The flow would be:
1. Acting as the SP, call SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. User logs into the IdP.
3. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response from the IdP.
4. Login the user locally in the application. Possibly save user information in the session etc if required.
5. Acting as the IdP, call SAMLIdentityProvider.InitiateSSO to create and send a SAML response to the SP.
User identity information received from the IdP may be used to create and send the SAML response to the SP.
Thanks for this. I have both sides working now.
Assume the IDP side is ADFS. The user logs in via IWA and now we do the IDPInitiated side.
We want to use the logged in user credentials for the IDPInitiated flow.
Is there any way to pre-populate them?
Any samples that show this?
Thanks.
You need to setup some claim rules in ADFS. These specify what user identity information will be included as the SAML NameID and SAML attributes sent to your SP.
Once you receive these you can either use the same user identity information or some variation of them to send to the external SP.