I am trying to configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
I have configured Kerberos adapter to use "e-glue.com" domain and provided KDC details in the configuration. I have also added "setspn" of Pingfederate server in domain controller properly. However when I login to a computer with valid "e-glue.com" user and hit SSO url with "https://hostname.e-glue.com:1912/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=ent-026330&metaAlias=/sp" it redirects me to IDP and SSO is successful and user gets created in openam. But if I do the same thing with other domain.. which is not "e-glue.com", it still autheticates the user and user is created in openam.
This is so strange, there is something missing as the user which is not part of e-glue domain though we configured kerberos adapter to use e-glue.com KDC, is getting authenticated. I am missing something, not sure what. Please share if you have any information about what is going wrong.
It happened because of inter-domain trust relationship.
PingFederate (IDP) is configured to authenticate users via "e-glue.com" domain.
So I logged in to my computer which was in domain "someother.domain". But this "someother.domain" implemented an Active Directory directory service forest and has trust relationship between "e-glue.com" and itself. So all users logged in to IDP are also VALID users because of trust relationship. It took me some time to understand this.