Sample of IDP initiated SAML SSO

By: Mark Lai user 17 Sep 2020 at 10:26 p.m. CDT

2 Responses
Mark Lai gravatar
Dear Support, This is Mark and i am a new joiner of using Gluu. I am exploring a SSO solution that fit for my project and I am not quite sure Gluu could help me on my project. Let me describe what is my project requirement. This project we need to migrate existing SAML SSO project to my site and the SSO login which is under IDP initiated SAML SSO approach. The user was logged at third party IDP, after success login, IDP will post a SAML request to SSO handler. The SSO handler received the SAML and forward the user to SP (my site) with corresponding attributes in IDP's SAML passing to SP (my site). I would like to know does Gluu support can help to provide any example or workflow for the above requirement? Thank you so much!
Ubuntu 20.0
closed

Answers

By Mohib Zico Account Admin 18 Sep 2020 at 1:07 a.m. CDT

Copy
Mohib Zico gravatar
Hello Mark, Yes, that's supported obviously. There are basically two scenarios you might consider: - SP-initiated SAML SSO: Where user will go to your site --> Hit "Login" there --> They will come to Gluu Server for authentication --> After successful authentication they will go to your site as 'logged in' user. This is simple [SAML SSO](https://www.gluu.org/docs/gluu-server/4.2/admin-guide/saml/). - IDP-initiated SAML SSO: Now here, you need to understand what you can exactly do with Gluu Server. Real "IDP-initiated" flow is itself complex and need intense assistance during configuration and troubleshooting. If the flow is simple like: SP --> Proxy Server ( i.e. Gluu ) --> Some other foreign IDP ( or social login ) --> Proxy Server ( Gluu ) --> SP. Then [SAML Passport configuration](https://www.gluu.org/docs/gluu-server/4.2/authn-guide/inbound-saml-passport/) is more than enough. If the flow 'really' require IDP-initiate SAML flow with foreign IDP. Then you also need to use passport of Gluu server but configuration is little [different](https://www.gluu.org/docs/gluu-server/4.2/authn-guide/inbound-saml-passport/#idp-initiated-inbound-flow). To make things little more 'visual' for everyone, we prepared a simple POC which is still in WIP and not published officially. But you can take a look at that I believe: https://gist.github.com/mzico/91c016930a87d1fa3e18bc4428687978
sample_TR.PNG sample_passport.PNG sample_TR_317.PNG

By Mark Lai user 23 Sep 2020 at 3:40 a.m. CDT

Copy
Mark Lai gravatar
Thanks for reply. :) For my project, i need to setup the SSO enviornment of "IDP-initiate SAML" flow. I tried follow your example and setup the (1) Gluu 4.0 - IDP (2) Shibboleth SP in Windows IIS 8 (3) external IDP which is only a web page that will post SAML to Gluu 4.0 for redirection to SP after user sign in successfully. I have some questions below would like to ask your help: (1) After setup the trust relationship between Gluu 4.0 and Shibboleth SP IIS 8. I tried access to SP "secure" page. It was directed to Gluu IDP login page instead of direct to third party web page. In Gluu IDP, i setup the Passport with "entryPoint" is "my own web page". May i know is it able to direct user to third party web page instead of direct to third party IDP? If yes, any example on that? (2) For IDP-initiate SAML, after user login successfully in third part web page, do i only post the SAML to Passport's callback URL or it is incorrect? Grateful if any example you could help on it. Thank you so much!

Post an answer