For use-cases such as AWS Console access, we need to support IdP initiated SSO. This flow is described here:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.4.IdP-Initiated%20SSO:%20%20POST%20Binding|outline
We would need the ability to register SP links in Ipsilon that can be used to perform IdP initiated SSO when clicked. The way I see this working would be:
User goes to Ipsilon and logs in.
Registered SPs that support IdP initiated SSO are shown as links.
User clicks on desired SP link, which generates an assertion and does a POST to the SP (using a configurable IdP intiated URL in the SP config)
From a UI/configuration standpoint, I envision a checkbox on the SP config page to enable IdP initiated SSO per-SP. If this is checked, you can fill in a POST URL and the text to display for the link (a configurable image would be a nice addition too).
Fields changed
milestone: => 1.1
One correction to the initial description is that the URL to POST to should come from the SP metadata instead of making it a configuration setting.
milestone: 1.1 => 1.2
owner: => rcritten rhbz: => status: new => accepted
https://pagure.io/ipsilon/pull-request/49
patch_available: 0 => 1
master: a8994fb
resolution: => fixed status: accepted => closed
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: 1.2
Login to comment on this ticket.