Is there any way for an SP initiated application to be able to initiate from the IDP

Discussion:

csross

2014-08-27 15:22:40 UTC

I run shibboleth v2.4.3 SP on Solaris 10, protecting many sites. No
problems.

I have a new customer who said they they do not want their users to log back
into the IDP when redirected from my SP, since they have already logged into
their IDP earlier for other reasons. The client says that all the login
information is contained in the headers or tokens in the browser, so when
they access the SP, it should automatically be able to retrieve the login
information from the headers and access the protected application without
the user doing anything.

I do not have the knowledge to answer that question. I had another client
try access my SP from the IDP and it just looped between the two, as I would
expect.

Is there any way for an SP initiated application to be able to initiate from
the IDP?

Thanks so much.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Is-there-any-way-for-an-SP-initiated-application-to-be-able-to-initiate-from-the-IDP-tp7606113.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Paul Hethmon

2014-08-27 15:29:23 UTC

Permalink

On Aug 27, 2014, at 11:22 AM, csross <cross-***@public.gmane.org<mailto:cross-***@public.gmane.org>> wrote:

I have a new customer who said they they do not want their users to log back
into the IDP when redirected from my SP, since they have already logged into
their IDP earlier for other reasons. The client says that all the login
information is contained in the headers or tokens in the browser, so when
they access the SP, it should automatically be able to retrieve the login
information from the headers and access the protected application without
the user doing anything.

Your new customer needs to fix their IdP session time if it is a problem. Sending the redirect to the IdP when you don't have a session is the proper thing to do. If the user has a session, they don't have to login again. If they don't have a session, they login.

Just to check, are you forcing re-authentication by sending that in the AuthnRequest?

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>

csross

2014-08-27 15:42:58 UTC

Permalink

HI,

Thanks for the response. I haven't set up anything with the client yet. He
is just saying that when we do, the user should not have to log into the IDP
since it has already logged in for some other application. I have another
customer who is starting to indicate that they want to be able to access the
application without having to log into their IDP again.

If a user logs into an IDP for some other application, and then they access
our application by clicking on a link, will the proper packets be sent to my
SP so that it automatically logs them in? I hope I am explaining it
correctly.

Thank you.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Is-there-any-way-for-an-SP-initiated-application-to-be-able-to-initiate-from-the-IDP-tp7606113p7606116.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

csross

2014-08-27 15:47:26 UTC

Permalink

I have reread your response and forgot to answer your question. I have the
default SP configuration with regards to AuthnRequest.

Thank you.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Is-there-any-way-for-an-SP-initiated-application-to-be-able-to-initiate-from-the-IDP-tp7606113p7606118.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Paul Hethmon

2014-08-27 15:52:52 UTC

Permalink

On Aug 27, 2014, at 11:42 AM, csross <cross-***@public.gmane.org<mailto:cross-***@public.gmane.org>> wrote:

Thanks for the response. I haven't set up anything with the client yet. He
is just saying that when we do, the user should not have to log into the IDP
since it has already logged in for some other application. I have another
customer who is starting to indicate that they want to be able to access the
application without having to log into their IDP again.

That is totally up to their IdP and its settings.

If a user logs into an IDP for some other application, and then they access
our application by clicking on a link, will the proper packets be sent to my
SP so that it automatically logs them in? I hope I am explaining it
correctly.

Go look up and read the OASIS SAML executive and technical overview documents.

Your application session is independent of any other sessions the user may have. The IdP is responsible for maintaining sessions with the browser so it knows when to grant access to your application by recognizing an existing session it has with the user or requiring the user to login again.

The only thing you can do to influence that behavior is to send the ForceAuthn attribute in the AuthnRequest. Almost all uses of that attribute are incorrect. Shib SP does not send it by default (pretty sure). That is the way you want it to be.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>

csross

2014-08-28 19:39:03 UTC

Permalink

What a great document "OASIS technical overview". Thank you for your
suggestion and help.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Is-there-any-way-for-an-SP-initiated-application-to-be-able-to-initiate-from-the-IDP-tp7606113p7606188.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org