I'm setting up an SSO solution using Azure AD and the IdP, using SAML2 token Authentication.
Our Service providers are both on premise and off premise applications. Although I understand the principles of SSO in these environments, I need clarity around SP Initiated SSO.
When an end user, who is working from home using their personal PC, tires to access an off site application, via a URL, how does the SP recognize, or identify which IdP it should redirect their browser to for validation?
The SP would have previously been configured (by administrators, developers, etc.) with information about the IdP. One of those pieces of information is the "Login URL", which is the IdP URL to which the SP should send the authentication request.
The IdP would also have been preconfigured with information about the SP, for example, where to send the IdP's authentication response (a.k.a. "assertion") containing information about the user. (That is known as the "Assertion Consumer Service")
In an SP initiated flow SP simply does not redirect the user to IdP , but accepts the user credentials and makes an authentication request to IdP.
An SP would set the IdP url in it's code or configuration based on the implementation it chooses.
You could also exchange metadata file between SP and IdP. A meta data file is nothing else but an XML file which tells the basic Organization , poc and URL info. So you could ask for SP meta data for your IdP to recognize SP and SP could ask for your IdP's meta data to identify you when an assertion reaches there.
This site provides a good understanding of how a meta data looks like : https://www.samltool.com/online_tools.php
