[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML & establishing an SSO connection
Imagine we want to have SSO between Site A and Site B, and the normal usage is for Site A to be the IdP, and Site B to be the SP. However, before the “connection” is established between these sites for a particular principal, Site A and B don’t have any common information about the principal to agree upon. They don’t want to use a back-channel,
so they need a use case to establish a common identifier. Could this type of “establishing connection” be done as a regular SSO login (either unsolicited Response from IdP, or AuthnRequest from SP to IdP and then Response back to SP), except that:
-
When the SP realizes it doesn’t recognize the identifying info in the Assertion, it prompts for authentication (e.g. login form).
-
Then, assuming authentication was successful, the SP stores the identifying info from the Assertion ( it could simply be random persistent name identifier that was generated by the IdP). Now the SP can always figure out the user/principal based on the IdP’s identifying info, so future SSO logins can skip the above. Would that be considered a “normal” way of establishing connection? What about switching it around? i.e. for the purpose of establishing connection, Site B could act as the IdP and send its identifying info (such as Site B-generated persistent name identifier)
to Site A in a Response. Site A would then store this info so that it can use it in future SSO logins, when it is acting as the IdP. Is this reasonable? Thanks michael lucas | Senior Software Developer
| Great-West Life |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]