SAML redirection

Question

We have a situation in SAML. We are the service providers and it is SP-initiated . we have 2 websites - landing SP website and actual SP website. Landing SP website just has a landing page , which will have link to actual SP website. Requirement is to have both landing SP website and actual SP website work with one IDP website( in most natural way, one can expect). So the following requirements should fulfill.

1. If user initiates requests for landing SP website and lets say, user was authenticated already then the user token should be validated when the user clicks on the link in landing SP website to Actual SP site. We can do custom coding for this but wanted to limit to SAML protocol setup. Please let me know how it can be done in SAML setup . What configuration can be done at IDP and Actual SP website to achieve this.

2. If user comes to actual SP website via landing SP website link, after being authenticated in IDP and he bookmarks the url of actual SP website. After signing out(session out) and then signing in again at IDP, how will the IDP send the user directly to actual SP website( when only landing SP website can be mentioned as SP in IDP). Is there any way to tell about this second IDP url(actual SP website) at IDP. I saw AsssertionConsumerURL and Audience in metadata as close match to deal with this problem but I see problem with both. AsssertionConsumerURL supports only one url and Audience requires condition, how will you compose condition for this case.

Answer 1

I run a federated system of 20,000+ SAML IDPs and a number of related websites, as well as working with various identity management standards committees.

My answer is assuming you are working in a federated environment where you will be providing the SAML metadata for your system to another party that runs an IDP.

To communicate to IDPs that you have multiple endpoints as the same entity, you will want to include both AssertionConsumerService URLs in your entity's SAML metadata. See SAML 2.0 - Multiple AssertionConsumerService in SP and line 748 http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf .

Audience is a slightly different thing to check. To implement SAML secure from various attacks, the IDP will use the audience to communicate the parties to which the user is being authenticated. See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf §4.1.4.2 and §4.1.4.3 for the use of the audience value. https://fusionsecurity.blogspot.com/2011/08/5-minutes-or-less-on-saml-audiences.html seems a reasonable gloss.

SP initiated means the user begins the flow at the SP. I'm going to give some examples because i'm not certain your requirements of a second landing page are entirely necessary.

Assume an application at https://example.com/ . The landing page at https://example.com/ does not require any authentication and has a "login" link. There are pages at, say, https://example.com/catalog/[ID] , which can be viewed by unauthenticated users AND authenticated users (also with "login" button when not authenticated). Finally there are pages at https://example.com/profile/[ID] that can only be accessed by authenticated users.

For authentication, define one acs https://example.com/acs.html .

I'll add here that we expect a customer to have multiple IDPs -- educational institutions and hospitals and federal agencies often support users from different sources. We have a "WAYF" or "Where are you from?" page that allows a user to select an IDP if the customer has multiple IDPs.

The "ideal" flow starts with a user at the landing page, moving to a catalog page, eventually logging in, and then visiting a profile. However, they may bookmark a profile.

When the user follows that bookmark to the a page that requires authentication, the code initates a SAML request to the IDP (going through the WAYF if needed) and saves state so that when the user is returned to the ACS with a successful authentication, they can be returned to the profile page.

This is discussed at §4.1.5. Usability https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management .

I think this addresses your questions although my example considers the landing page part of the same website. I'm a little unclear as to your separate website requirement.