How to verify if login token is valid?


I am working in a IdP-initiated project and we are the SP part.

1. As the Service Provider part, how the SP verifies if the login token is valid?

2. If the user authenticates and then closes the tab and opens a new one, is the authentication process saved or do they have to be authenticated again? In case you do not have to re-authenticate, how do you keep the authentication, with cookies?


Hi Jorge,

1. Either the SAML response or the SAML assertion sent by the IdP should be signed. As long as the signature verifies and assuming you already have a trust relationship with the IdP, you should accept that the IdP has authenticated the user and that the SAML assertion is valid.

2. The authentication cookies are maintained by the IdP and SP applications. We don’t use authentication cookies. There is a SAML session cookie but this is used to support the SAML protocol including support for SAML logout. Typically if you close the browser rather than simply switching tabs within the browser, the authentication cookies will be lost and the user will have to login again at the IdP.