ComponentSpace

Forums



SSO without IDP redirection


SSO without IDP redirection

Author
Message
Natasha
Natasha
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 3, Visits: 4
How can we implement SSO using SAML2.0 without redirection? Are there any low level APIs in component space that can we used to post username/password to the IDP and get SAML assertion as response. 


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
This isn't supported by the SAML specification.
To achieve SAML SSO, the service provider must redirect to the identity provider. This is done by sending a SAML authn request either using an HTTP Redirect or HTTP Post (via the browser).
The SAML authn request may include the user's name and we support sending this but many identity providers don't support receiving the user name and will ignore it.
You cannot send the user's password for security reasons.
Login must occur at the identity provider site.
This isn't a limitation in our product but rather good security practice imposed by the SAML specification.

Regards
ComponentSpace Development
Natasha
Natasha
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 3, Visits: 4
ComponentSpace - 5/13/2019
This isn't supported by the SAML specification.
To achieve SAML SSO, the service provider must redirect to the identity provider. This is done by sending a SAML authn request either using an HTTP Redirect or HTTP Post (via the browser).
The SAML authn request may include the user's name and we support sending this but many identity providers don't support receiving the user name and will ignore it.
You cannot send the user's password for security reasons.
Login must occur at the identity provider site.
This isn't a limitation in our product but rather good security practice imposed by the SAML specification.

Thanks for the prompt reply. Answers my question. I totally agree that we should not send password and must leverage secure authentication provided by IDP. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
You're very welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search