You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2017/08/15 16:38:23 UTC

IdP initiated SAML SSO

Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
support IdP initiated SAML SSO as well.

I have got this working in an interop test with Okta, by commenting out the
RelayState processing, and removing passing
relayState.getJwtClaims().getSubject() through to the validation process.

Any thoughts on how best to handle this scenario? Add a configuration
switch to allow the IdP initiated flow for a given IdP?

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: IdP initiated SAML SSO

Posted by Colm O hEigeartaigh <co...@apache.org>.

Thanks for the feedback, let me experiment with this and get back to you.

Colm.

On Thu, Aug 17, 2017 at 2:15 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:

> On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
>
>> Currently, Syncope only supports RP-initiated SAML SSO. It would be nice
>> to
>> support IdP initiated SAML SSO as well.
>>
>> I have got this working in an interop test with Okta, by commenting out
>> the
>> RelayState processing, and removing passing
>> relayState.getJwtClaims().getSubject() through to the validation process.
>>
>> Any thoughts on how best to handle this scenario? Add a configuration
>> switch to allow the IdP initiated flow for a given IdP?
>>
>
> Hi Colm,
> the relay state processing and validation could be optionally disabled
> according to some switch passed to the Agent by the IdP itself (as a
> request param, for example) and then added by the Agent into the REST call
> which ends up in SAML2SPLogic.
>
> Having a further setting for IdP conf to explicitly authorize
> IdP-initiated scenarios makes sense too, to me.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: IdP initiated SAML SSO

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
> Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
> support IdP initiated SAML SSO as well.
>
> I have got this working in an interop test with Okta, by commenting out the
> RelayState processing, and removing passing
> relayState.getJwtClaims().getSubject() through to the validation process.
>
> Any thoughts on how best to handle this scenario? Add a configuration
> switch to allow the IdP initiated flow for a given IdP?

Hi Colm,
the relay state processing and validation could be optionally disabled 
according to some switch passed to the Agent by the IdP itself (as a 
request param, for example) and then added by the Agent into the REST 
call which ends up in SAML2SPLogic.

Having a further setting for IdP conf to explicitly authorize 
IdP-initiated scenarios makes sense too, to me.

Regards.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/