Open hauntingEcho opened 4 years ago
@hauntingEcho There are few things need to be clarified about this requirement.
fidp
parameter is used to directly redirect the end-user to the IdP, rather than showing the multi-option page. Do you multiple IdPs configured for your SP?fidp
value?Can you please clarify your requirements further?
We are using wso2is as an identity bus - our SaaS receives mapped local subject identifiers from WSO2IS, which in turn handles users from multiple identity providers.
For clarity, I was referring to the 'issuer' present in the SAML2 message received from the IdP, which is the IdP's issuer name. Any SP's issuer name is unrelated. The currently-possible SP-initiated flow which I had mentioned was between WSO2IS (as the SP) and the configured Identity Provider, which requires the fidp parameter in order to select the right identity provider rather than just accepting a posted saml2 assertion and determining who sent it by its contents.
An example for further clarity:
currently, for IdP-initiated login, 'secondary' must be given the ACS "https://localhost:9443?fidp=secondary&spEntityID=SP" and "otherIdp" must be given "https://localhost:9443?fidp=otherIdp&spEntityID=SP" in order to skip making the user choose the right IdP. This means that a different metadata file would need to be manually created for each IDP to be configured.
However, in the IdP-initiated SAML flow, OtherIdp is already posting a SAML2 message with <issuer>otherIdp</issuer>
and Secondary is already posting a SAML2 message with <issuer>secondary</issuer>
. By using this field, the fidp parameter becomes unnecessary and configuration becomes more reusable. The X509Certificate field can also be used for differentiation in messages with signed elements.
@hauntingEcho Thanks for the detailed clarification. Yes, for the federated IdP initiated SSO case, fidp
parameter is redundant.
Currently, IdP-initiated SAML2 is not supported for configured IdPs. However, there is an ability to trigger the SP-initiated flow against IdP
x
by hitting/samlsso?fidp=x
.Enabling the
/commonauth
endpoint to determine the correct fidp from the Issuer present in the SAML2 message would: