问题
We currently have our identity server setup with Sustainsys/Saml2 extensions to allows 3 party clients to login to our product via sso, where the request is initiated by the client hitting our login page to start the request.
We now have a customer you want to put a link into there own software to start the process, creating a ldp initiated request.
My question is how do i go about implementing this using identity server and the Saml2AuthExtensions. I've had a look and i cant see anything extra that might allow this through. Does it just work out of the box, or do i need to setup something else?
Cheers
回答1:
The SAML2 standard supports "Idp initiated sign on", which can be enabled in the Sustainsys.Saml2 library with the AllowUnsolicitedAuthnResponse flag on the Idp. It is however a bad idea, because the idp initiated flow is by design vulnerable to session pinning attacks. I have seen people make IdentityServer work with idp initiated sign on, but it's awkward, because IdentityServer is not built to support it.
It's much better to use the OIDC way. Have the customer put a link directly to the client application (I assume that the end goal is a client to IdentityServer, using OIDC). Then create an endpoint on the client that initiates an OIDC sign on to IdSrv, with an amr value indicating to IdSrv that Saml2 should be used for authentication. That can give a solution where the user clicks a link, goes to the client, is redirect to IdSrv, is redirected to the Saml2 Idp where they are automatically signed in (using e.g. Windows Auth or an existing session). Then they are automatically redirected back to IdSrv which redirects back to the target application.
From the users' perspective they have a link that will automatically log them in to the application.
来源:https://stackoverflow.com/questions/57521457/identity-server-saml2authextensions-idp-initiated-sso