#138 Support IdP initiated SSO
Closed: Fixed None Opened 6 years ago by nkinder.

For use-cases such as AWS Console access, we need to support IdP initiated SSO. This flow is described here:

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.4.IdP-Initiated%20SSO:%20%20POST%20Binding|outline

We would need the ability to register SP links in Ipsilon that can be
used to perform IdP initiated SSO when clicked. The way I see this
working would be:

  • User goes to Ipsilon and logs in.

  • Registered SPs that support IdP initiated SSO are shown as links.

  • User clicks on desired SP link, which generates an assertion and does
    a POST to the SP (using a configurable IdP intiated URL in the SP config)

From a UI/configuration standpoint, I envision a checkbox on the SP
config page to enable IdP initiated SSO per-SP. If this is checked, you
can fill in a POST URL and the text to display for the link (a
configurable image would be a nice addition too).


Fields changed

milestone: => 1.1

One correction to the initial description is that the URL to POST to should come from the SP metadata instead of making it a configuration setting.

Fields changed

milestone: 1.1 => 1.2

Fields changed

owner: => rcritten
rhbz: =>
status: new => accepted

master: a8994fb

resolution: => fixed
status: accepted => closed

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: 1.2

4 years ago

Login to comment on this ticket.

Metadata