We are service provider and trying to Implement SP-initiated SSO using SAML2 library. I have following questions
When end user tries to access protected SP application/resource how should SP end point identify to which IDP it should redirect the request for authentication ?
Is there any standard format to accept first/Initial request from IDP user?
While redirecting request to IDP what is the standard format to send response to IDP?
Our tech stack : asp .net(4.5) MVC, C# and SAML2 Sustainsys library
Our client (In SSO term IDP- Identify provider) is using : SP-initiated SAML on Azure AD
Using SAML2 library I have implemented IDP initiated SSO in which IDP is hitting our end point with SAML response and we are validating it with IDP certificate and extracting attributes etc
So for SP initiated I got following,
[Route("RequestAccess")]
[HttpPost]
public ActionResult InitialRequest()
{
// How to Identify user and its IDP url?
// What should be the return type? (To redirect user to IDP)
}
// Once validated, IDP can hit our existing end point which validates assertion and redirect user. I implemented this part and works well in case of IDP initiated setup.
[Route("AssertionConsumer")]
[HttpPost]
public ActionResult ValidateIdpRequest()
{
var options = Saml2Controller.Options; //Coming from config
CommandResult result = CommandFactory.GetCommand(CommandFactory.AcsCommandName)
.Run(Request.ToHttpRequestData(),options);
string userName = result.Principal.FindFirst(ClaimTypes.NameIdentifier)?.Value;
//Set the cooking in response
//Return
}
What I'm missing? Any suggestions/questions are welcome.
For SP initiated scenario everything I found online does not have example or explain clearly.