SAML SSO - how does it work with multiple service providers

Question

I'm tasked with developing an SSO system with SAML. I have to login to the identity provider (via a mobile app) and redirect to my site after authentication.

After some research I think understand the interaction between a Service Provider and an ID Provider and how a user's identity is confirmed.

But what happens when I redirect the user to another Service Provider? How can I transfer the authenticated user's identity to my site without login once again with Identity Provider.

Must I send the SAML assertion tokens along with the redirect request?

identigral identigral · Accepted Answer · 2019-07-25T00:00:37

Yes. This happens seamlessly if you use service provider-initiated SSO flow.

When you try to access a resource on any SAML-speaking service provider, if you're not authenticated at the service provider, you'll be redirected back to the identity provider. Let's say this is the first time it happened. Identity provider would prompt for authentication and following that it would send a SAML response to the service provider. Now you try to access a resource on another SAML service provider. You would again be redirected to the identity provider but this time you won't be prompted for authentication as long as your security context (session..) at the identity provider is still alive. The identity provider will silently send a SAML response to the second service provider.

SAML SSO - how does it work with multiple service providers

1 Answers