My customer wants me to implement some stuff for a SP initiated web-SSO szenario, that deals with a SP that runs in our DMZ and redirects an unauthorized web access to an IdP, that is hosted by another operator/company inside (what a surprise) their DMZ.
I am bit confursed about this szenario, because i remember, that this would require a federation between two IdP's, strictly speaking: their IdP and ours, that actually does not exist.
Besides i figured out, that the idea behind the SAML-artifact protocol is to save ressources and to communicate more secure by accessing directly the SP by the IdP, instead of use HTML-redirects over the internet. But when IdP and SP are running in different domains, there will be still a access through the internet (dangerman zone).
Am i right, that the given net-architecture results of a misunderstanding of the SAML2 specification. Are there some security impacts (like man-in-the-middle).
