Let’s say I have a web application with multiple clients. Not every client integrates with SAML SSO, but there are multiple clients that use SAML. Some have accounts in our system that they authenticate with (non-SSO clients). How would I know when to send an SP Initiated Request to the IDP?
Do I need to setup the client with a specific address (client.mydomain.com) and send a request if they are not authenticated? I guess I’m looking for what is considered a best practice or typical design around how to know when to perform an SP Initiated Request.
You need a way to identify the client and then determine whether that client participates in SAML SSO.
Using client specific subdomains (eg client.mydomain.com) is a very typical approach and one that we would recommend.
Of course, you could also identify clients through query string parameters on the URL rather than subdomains, or perhaps IP address ranges etc.
The other option is to ask the user to identify the client (eg the user selects from a list of client names).
Once you’ve identified the client, your application needs to lookup information it maintains to determine whether or not that client supports SAML SSO.
[quote][/quote]
You need a way to identify the client and then determine whether that client participates in SAML SSO.
Using client specific subdomains (eg client.mydomain.com) is a very typical approach and one that we would recommend.
Of course, you could also identify clients through query string parameters on the URL rather than subdomains, or perhaps IP address ranges etc.
The other option is to ask the user to identify the client (eg the user selects from a list of client names).
Once you've identified the client, your application needs to lookup information it maintains to determine whether or not that client supports SAML SSO.
Using client specific subdomains (eg client.mydomain.com) is a very typical approach and one that we would recommend.
Of course, you could also identify clients through query string parameters on the URL rather than subdomains, or perhaps IP address ranges etc.
The other option is to ask the user to identify the client (eg the user selects from a list of client names).
Once you've identified the client, your application needs to lookup information it maintains to determine whether or not that client supports SAML SSO.
Perfect, thanks for the response. I figured subdomains is the ideal route, just wanted to make sure I wasn't missing something!
You’re welcome.
I have a follow up question - where is the best place, or best practice, to detect the subdomain, Application_BeginRequest?
thanks!
Perhaps the simplest approach is to retrieve the URL of the HTTP request using HttpRequest.Url and then parsing out the subdomain name.
You can do this as part of processing the HTTP request (ie in your web form page or MVC controller) immediately prior to calling the SAML API etc.