Please let me know if I'm not providing enough info. Asking a question here because it could potentially be faster than contacting and dealing with the IdP.
We, a service provider, are integrating SAML 2.0 SSO with an IdP. We exchanged metadata files and all is apparently good and valid. Now, whenever their users click on a link that would access a specific content on our platform, users are taken directly to that content without any authentication/validation of the user. As if the users were provided a direct link to that content. Server logs do not show any SSO contact using any of the SSO links. The ACS endpoint isn't being hit. After contacting them with maybe over 30 emails and almost a month later, they said the issue is that:
The problem is caused by not having Deep Linking in the redirect link.
If both metadata are correct and valid, what could prevent the integration to happen? What could prevent the IdP's server to hit our ACS endpoint? Am I providing enough information here for anyone to come up with potential issues or theories on the cause of the problem?
We spent way to much time trying to communicate with them to reach a solution that we're almost losing hope but we need to integrate with them since it's a requirement in the project.
I'd appreciate any pointers.
Thank you in advance.
What we tried
Provided different versions of metadata files. Changing ACS endpoints. Thought maybe it could be a CORS problem, but that wasn't it. Contacted the IdP support but they were extremely slow and vague in replying with useful information.
We tested our system with a test SSO integration using http://mocksaml.com/ and we were able to identify and validate the response from them.
Do their users ever see a login screen?
Do they ever login?
It sounds like your page is not protected?
What should happen is that when they try to access your page, your code should recognize that they are not authenticated and redirect them to the IDP to authenticate.
Is this SP or IDP initiated?
Does your SP ever send an Authnrequest?