Global Authentication

Looking for insight on how to implement a “global” authentication with SAML or some other means. We operate an SP site currently with a customer’s IdP. Our site is a subdomain of theirs, but exists on our servers and is in all other ways completely separate implementation and network. The customer wants to have users log in on the main site, and be seamlessly logged in by simply browsing to a url on our subdomain site. No login button, no direct call to the assertionconsumerservice, just be logged in when they arrive at our site. Anonymous users are allowed as well. So far the internet is not being quite kind to me but I think this is at least possible because google and microsoft both do it.

Any advice or direction would be appreciated.

This sounds like IdP-initiated SSO.

The flow is as follows:

  1. User starts at the IdP site and logs into the IdP.
  2. User clicks a link to the SP site.
  3. IdP sends a SAML response to the SP’s assertion consumer service endpoint.
  4. SP automatically logs in the user.
  5. SP redirects to the appropriate page.

I’m not sure what’s meant by “no direct call to the assertionconsumerservice”. The SAML flow must include a SAML response being sent to the SP’s assertion consumer service endpoint. However, this flow should be transparent to the user. To them it should appear like a simple redirect to the SP.

We have IdP-initiated SSO already, what they want is something different from the flow you describe. They essentially want people from a specific IdP to not have to “log in” to the site, just automatically be logged in whenever they browse to a page. The purpose of this is for normal users of their sites to be able to create links to our SP site and not have to know anything about how SSO works. Just click the link and go. They have mentioned some sort of Okta token which may be in a cookie or something? So if we see the token we do an sp-initiated login and bring them back to the page they were trying to see.

Anonymous access is still allowed on this site and also the IdP in question would be different from the normal one being used for general login purposes.

I’m not sure what’s meant by “automatically be logged in whenever they browse to a page” if it’s not IdP-initiated.

I’m also not sure what’s meant by an Okta token.

Are they looking to use SAML as the SSO protocol?

If so, which flow?

Could they provide more specific information?

The only other thing I can suggest from the provided description is the following:

  1. User starts at the IdP site and logs into the IdP.
  2. User clicks a link to the SP site.
  3. SP detects the user isn’t authenticated locally and initiates SSO to the IdP.
  4. SP receives SAML response from IdP and automatically logs in the user.
  5. SP redirects to the requested page.

The SP can remember the original requested page at the SP linked to from the IdP either using an application cookie or as the SAML relay state.

Basically we have to detect that they are logged into their IdP somehow and then initiate the login on our site.

Their IdP service is apparently provided by Okta. We are currently using SAML for the normal authentication process for both IdP- and SP- initiated logins. The contact I spoke with about it believes there’s some sort of token we could use. He might be thinking of the bearer tokens we generate for web service requests.

We are awaiting someone on their side who knows more about the user authentication process.

I think this is essentially what they want, but not for every single person who browses to the site. Just the ones who are already logged in to the specific “internal” IdP. Currently users who intentionally log into the site are using the “external” IdP. They have a mixture of business users who are either employees or dealers who want to seamlessly be logged into the site like this, and normal users who may just be regular customers that can click the login button or use the special IdP-initiated login from one of their other sites. And of course the general public can use the site anonymously without logging in or creating an account.

It sounds like it’s best to get more clarification from the IdP to confirm that they are using SAML and how it should work.