[Sign In] Redirect based SSO - User already signed in RP1, need to SSO in RP2 - both RP1 and RP2 trust IDP1

fedidcg / protocol-library

protocol use case library

Other

1 stars 0 forks source link

[Sign In] Redirect based SSO - User already signed in RP1, need to SSO in RP2 - both RP1 and RP2 trust IDP1 #12

Open timcappalli opened 3 years ago

timcappalli commented 3 years ago

Web application RP1 and RP2 offer sign in/sign up functionality for users of identity provider IDP1, using any of the following:

any OpenID Connect flow
any SAML flow
any WS-Fed flow
any proprietary cookie based auth scheme

The user is already signing in RP1. The user navigates to RP2, and expects to obtain an authenticated session without any interactive prompt.

User agent access to user info depends on the mechanics of the protocol of choice.

timcappalli commented 3 years ago

Old comment from @gffletch:

Do we need a use case document for each protocol? Also, seemless/silent SSO requires some mechanism for shared state. Do we need a use case for each of those mechanisms?

I'm working on a scenario for redirects where all properties are on the eTLD+1 and "logged-in flag" can be shared via a cookie on the eTLD+1.

This could also be accomplished by RP2 doing a redirect with prompt=none to IDP1 whenever the user arrives.

Additionally, I think this can be done with embedded iframes where the iframe is sourced from IDP1. I'm less familiar with this method.

Other options?

LGraber commented 2 years ago

We should create a separate issue to track the case where RP2 is embedded in RP1. I will open