On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
support IdP initiated SAML SSO as well.
I have got this working in an interop test with Okta, by commenting out the
RelayState processing, and removing passing
relayState.getJwtClaims().getSubject() through to the validation process.
Any thoughts on how best to handle this scenario? Add a configuration
switch to allow the IdP initiated flow for a given IdP?
Hi Colm,
the relay state processing and validation could be optionally disabled
according to some switch passed to the Agent by the IdP itself (as a
request param, for example) and then added by the Agent into the REST
call which ends up in SAML2SPLogic.
Having a further setting for IdP conf to explicitly authorize
IdP-initiated scenarios makes sense too, to me.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
