SSO across cross domain web applications

Could you tell me if component space saml 2.0 product can be used to enable SSO across web sites running on multiple domains (e.g., etc.)? If yes, can you provide implementation details? I see that your samples work fine on a single machine but when deployed on multiple machines (IdP on one machine and 2 SPs on 2 different machines), I am being prompted for credentials when i navigate from one SP to the other SP.

Yes, it definitely can. One of the goals of SAML SSO is to enable federated login across multiple domains. Our documentation describes deploying the examples to localhost but this is to keep the deployment as simple as possible and isn’t a limitation in any way.

For the scenario you describe, you will need each SP to SSO to the IdP. As long as the user’s authentication session at the IdP hasn’t expired they’ll only be prompted to login once.

For example:

1. User logs in at the IdP.
2. User clicks link to SP1.
3. IdP sends SP1 a SAML response.
4. SP1 performs an automatic login.
5. User clicks link to SP2.
6. SP2 sends SAML authn request to IdP.
7. User is already logged in so isn’t prompted to login again.
8. IdP sends SP2 a SAML response.
9. SP2 performs an automatic login.

This requires the SPs to support SP-initiated SSO (ie send a SAML authn request to the IdP and receive a SAML response).

The ExampleServiceProvider demonstrates SP-initiated SSO amongst other things. The call to SAMLServiceProvider.InitiateSSO sends the authn request and SAMLServiceProvider.ReceiveSSO receives the SAML response.