SAML & establishing an SSO connection

["Lucas, Mike" <Mike.Lucas@gwl.ca>]

Imagine we want to have SSO between Site A and Site B, and the normal usage is for Site A to be the IdP, and Site B to be the SP.

 

However, before the “connection” is established between these sites for a particular principal, Site A and B don’t have any common information about the principal to agree upon. They don’t want to use a back-channel, so they need a use case to establish a common identifier.

 

Could this type of “establishing connection” be done as a regular SSO login (either unsolicited Response from IdP, or AuthnRequest from SP to IdP and then Response back to SP), except that:

-          When the SP realizes it doesn’t recognize the identifying info in the Assertion, it prompts for authentication (e.g. login form).

-          Then, assuming authentication was successful, the SP stores the identifying info from the Assertion ( it could simply be random persistent name identifier that was generated by the IdP).

Now the SP can always figure out the user/principal based on the IdP’s identifying info, so future SSO logins can skip the above.

 

Would that be considered a “normal” way of establishing connection?

 

What about switching it around? i.e. for the purpose of establishing connection, Site B could act as the IdP and send its identifying info (such as Site B-generated persistent name identifier) to Site A in a Response. Site A would then store this info so that it can use it in future SSO logins, when it is acting as the IdP. Is this reasonable?

 

Thanks

michael lucas  |  Senior Software Developer  |  Great-West Life