spring saml - IDP initiated SSO

2
votes

I am using SPRING SAML implementation and acting as a SP(Eg: ALPHA). I am able to execute SP initiated SSO and being able to authenticate user with the IDP. No issues in this implementation.

But within my application, I need to access another SP(Eg:BETA) url which is linked to the same IDP. Both ALPHA and BETA service providers are trusted by the same IDP. In this scenario, after ALPHA authenticating a user with the IDP through SP INIT SSO, I am being asked to enter credentials again when the redirect happens to BETA SP URL. I understand that the SP carries different sessions.

How can I enable the login in BETA SP with the same SAMLCredential which is authenticated through ALPHA SP. After going through a few documentations, I see that it is possible through IDP INIT SSO.

Can anyone tell me how to configure my application to be able to handle SP INIT SSO and as well IDP INIT SSO?

ALPHA SP is shibboleth and other SP is EZPROXY

1
springspring-mvcsingle-sign-onsaml-2.0spring-saml
@vschafer can you please look into this issue as you must have a clear idea on how to initiate a IDP SSO call to another SP from the application which is already able to authenticate using its own SP INIT SSO.SM KUMAR

1 Answers

2
votes

This seems like a problem with IDP.

You should simply include an ordinary link on ALPHA which points to BETA, when user reaches BETA and doesn't have an active session, it should initialize single sign-on with the IDP (just like ALPHA did). And IDP should re-use the existing session (which should be present after authentication to ALPHA) and not ask for additional credentials. You shouldn't need to make any additional steps on ALPHA.

Typically there's no need for special/additional configuration in order to enable IDP initialized SSO - when SP initialized SSO works, IDP initialized typically works as well.