ComponentSpace

Forums



Multi-level SSO & SLO


Multi-level SSO & SLO

Author
Message
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
Hello Component space Team,

We have a requirement like one client will be sending a request to SSO for their users (after windows authentication) to our main application based on the user we need to take the user to different applications built on different technologies.

Client is acting as Idp and we are using Idp initiated SSO (it should also support SP initiated SSO in future if client asks).

Main application is acting as SP and its receiving the request through .NET Core Web API, if user has access to multiple applications (main application/portal, another app - APP1 & another app - APP2 ..APP n ). APP1 is on ASP.NET web apps Application, APP2 is angular application, APP3 is MVC application..

What is the recommendation SAML architecture we should follow in this scenario? 
We are thinking to have two levels of SAML 

     Client (IdP) to Main Application/Portal (SP)---> IdP initiated SSO  (Level1 )
     Main Application/Portal (IdP) to APP1/APP2.. APPN ----> IdP Initiated SSO (Level2)

Client don't want to configure or send which application user wants to access, they can have access Main Application and/or APP1 and/or APP2 and/or .. APP2

Please let us know recommendations from Component Space team.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
What you've outlined is what we recommend. Your main application acts as a proxy for your other applications. To the external IdPs it acts as an SP. To the internal SPs it acts as an IdP.

An IdP-initiated SSO flows would be:

1. External IdP sends a SAML response + relay state to the SP.
2. SP uses the relay state to identify the target application.
3. SP, now acting as an IdP, sends a SAML response to the target SP.

I described using relay state as the way the external IdP identifies which application to SSO to but you can use whatever mechanism you prefer.

Regards
ComponentSpace Development
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
ComponentSpace - 10/10/2019
What you've outlined is what we recommend. Your main application acts as a proxy for your other applications. To the external IdPs it acts as an SP. To the internal SPs it acts as an IdP.

An IdP-initiated SSO flows would be:

1. External IdP sends a SAML response + relay state to the SP.
2. SP uses the relay state to identify the target application.
3. SP, now acting as an IdP, sends a SAML response to the target SP.

I described using relay state as the way the external IdP identifies which application to SSO to but you can use whatever mechanism you prefer.

Thank you for quick response...
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search