Total Pageviews

Thursday, April 5, 2018

SAML response Difference between IDP and SP initiated SSO

Difference between 2 request is in BOLD letter

DIP Initiated SSO
An IdP Initiated SSO flow is a Federation SSO operation that was started from the IdP Security Domain, by the IdP Federation server creating a Federation SSO Response and redirecting the user to the SP with the response message and an optional operational state:

The Federation SSO Response varies depending on the protocol used:
SAML 2.0: SAMLResponse with Assertion
SAML 1.1: Response with Assertion
WS-Fed: Response with Assertion

OpenID 2.0: OpenID 2.0 Response
The optional operation state in this flow will convey the URL where the user should be redirected after the Federation SSO is complete at the SP. If missing, the SP will need to determine where the user should be redirected. This information is conveyed differently depending on the protocol:
SAML 2.0: RelayState parameter
SAML 1.1: TARGET parameter
WS-Fed: wctx parameter
OpenID 2.0: this protocol does not support IdP Initiated SSO flow.


SP Initiated SSO
An SP Initiated SSO flow is a Federation SSO operation that was started from the SP Security Domain, by the SP Federation server creating a Federation Authentication Request and redirecting the user to the IdP with the message and some short string representing the operation state:

The Federation Authentication Request varies depending on the protocol used:
SAML 2.0: AuthnRequest
SAML 1.1: a URL with a parameter representing the SP
WS-Fed: a URL with a wtrealm parameter representing the SP and other optional parameters

OpenID 2.0: OpenID 2.0 Request
The operation state (what the user was doing before the Federation SSO operation started) is conveyed in the message sent to the IdP with the user, not as the whole state, but instead as a pointer to the state in the SP Server's runtime storage. This information is conveyed differently depending on the protocol:
SAML 2.0: RelayState parameter
SAML 1.1: TARGET parameter
WS-Fed: wctx parameter
OpenID 2.0: openid.return_to parameter which is an SP URL where the user will be redirected after authentication at the IdP, which is generated at runtime by the SP, and as such can contain a query parameter referencing an operational state

No comments:

Post a Comment