Pages

Friday, 10 January 2025

SSO login flow third-party initiator in SAML and OIDC

SSO login can be triggered in multiple ways. In most cases, the SSO login flow is initiated automatically by end users accessing any protected URL. 

Sometimes, a third-party initiated SSO login flow is necessary, e.g. the website wants to display a list of identity providers for the end users to select before login.

An third-party login initator UI for SAML.



An third-party login UI for OIDC sso.



Both SAML and OIDC support such a feature.

1 OIDC

1.1 Spec

login flow initiator is part of the ODIC core spec. In RP metadata, it's denoted by endpoint named "initiate_login_uri".

1.2 Examples

The RP implementation mod_auth_openidc has its "initiate_login_uri" the same value to its "redirect_uri". Generally speaking, letting the two endpoints share the same URL is reasonable but not necessary. "redirect_uri" is the endpoint where identity provider sends back authn result, while "initiate_login_uri" is where a third-party ridrect to trigger login flow.

An example of third-part login page may look like below.

html>
<body>
    <p><a
            href="https://xxx/protected/redirect_uri?iss=accounts.google.com&amp;target_link_uri=https%3A%2F%2Flocalhost%2Fprotected%2Findex.html">
            Google</a></p>
    <p><a
            href="https://xxx/protected/redirect_uri?iss=seed.gluu.org&amp;target_link_uri=https%3A%2F%2Flocalhost%2Fprotected%2Findex.html">
            Gluu</a></p>
</body>
</html>

2 SAML

2.1 Spec

SAML didn't have such a spec until later versions. The spec for SAML third-party sso intiator is Service Provider Request Initiation Protocol and Profile. This endpoint is described in SP's metadata as "RequestInitiator".

2.2 Examples

 Shib SP has its RequestInitator as "https://xxx/Shibboleth.sso/Login".

An example of third-party login page may look like below.

html>
<body>
    <p><a
    href="https://xxx/Shibboleth.sso/Login?entityID=https://idp1>
            Login via IdP1
    </a></p>

     <p><a
     href="https://xxx/Shibboleth.sso/Login?entityID=https://idp2>
            Login via IdP2
     </a></p>
</body>
</html>


at

No comments:

Post a Comment