authenticationsingle-sign-onsamlsaml-2.0passport-saml

SSO. How to use IdP as a Proxy?


Implement SSO flow for authentication. I'm a newbee here and cannot get some places. I tried to implement service provider initiated flow. And it looks like this:

  1. User clicks on button on my frontend app to authenticate by one federation.
  2. User redirects to federation form and choose required IdP for authentication.
  3. After clicking on IdP button user redirects to special auth form on some IdP and enter their credentials.
  4. User click there on Log in and redirected to our server with SAMLResponse.

So, it looks good but I have one required param for authentication that is necessary for my system but not for IdP. It means that I need somehow to send this param to IdP and IdP should return it without any changes. I tried to read a lot info how to do it but cannot find nothing. I saw param called RelayState that can be set to URL of frontend app and after authentication on IdP it will return to my server without changes.

Basically my question is how I can use IdP as a Proxy?


Solution

  • What you are doing is SP Initiated and there is a good writeup here.

    "The original meaning of RelayState is that the SP can send some value to the IDP together with the AuthnRequest and then get it back. The SP can put whatever value it wants in the RelayState and the IDP should just echo it back in the response."

    Example of how to use it.

    The problem is that not all IDP implement it and if you redirect to another IDP from your IDP, it may not be passed.