IdP initiated login - OpenConext/OpenConext-engineblock GitHub Wiki
Normally a login is SP-initiated: the SAML login process is started by the Service Provider (SP) when it sends a SAML AuthenticationRequest to the Identity Provider (IdP), as in this case of SURFconext.
IdP-initiated login or unsolicited response allows a login to a SP to be initiated without the SP sending a SAML AuthnRequest first, the SP receives only a SAML response. This would typically be used to allow third parties (e.g. a portal, bookmarks) to craft a link that will login a user to a specific SP using a specific IdP. The SAML standard does not describe the format of this link; only the resulting SAML Response and the handling of this Response by the SP is described. Note that unsolicited response (IdP initialed login) does require support by the SP. This support is not mandatory (SHOULD).
Implementation
IdP-initiated login works by sending a HTTP GET request to the unsolicited-single-sign-on endpoint of engine: https://engine.demo.openconext.org/authentication/idp/unsolicited-single-sign-on
It is possible to select the IdP using the IdP hash from the transparent metadata (https://engine.demo.openconext.org/authentication/proxy/idps-metadata). E.g., https://engine.demo.openconext.org/authentication/idp/unsolicited-single-sign-on/ba573f07093978e3852ddef0d2465b84
The following parameters are recognized:
| Parameter | Description |
|---|---|
| sp-entity-id | Mandatory. The EntityID of the service provider that the unsolicited SAML Response must be sent to. |
| RelayState | Optional. RelayState to send to the service provider. |
| acs-location | Optional. AssertionConsumerService Location for the SAML Response. This MUST be an ACS location registered in ServiceRegistry. |
| acs-binding | Optional. Required when acs-location is provided. urn of the SAML binding to use. |
Example URL
https://engine.demo.openconext.org/authentication/idp/unsolicited-single-sign-on?sp-entity-id=https://teams.surfconext.nl/shibboleth
https://engine.demo.openconext.org/authentication/idp/unsolicited-single-sign-on?sp-entity-id=https://teams.surfconext.nl/shibboleth&acs-location=https://teams.demo.openconext.org/Shibboleth.sso/SAML2/POST&acs-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST