syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: IdP initiated SAML SSO
Date Thu, 17 Aug 2017 13:15:45 GMT
On 15/08/2017 18:38, Colm O hEigeartaigh wrote:
> Currently, Syncope only supports RP-initiated SAML SSO. It would be nice to
> support IdP initiated SAML SSO as well.
> I have got this working in an interop test with Okta, by commenting out the
> RelayState processing, and removing passing
> relayState.getJwtClaims().getSubject() through to the validation process.
> Any thoughts on how best to handle this scenario? Add a configuration
> switch to allow the IdP initiated flow for a given IdP?

Hi Colm,
the relay state processing and validation could be optionally disabled 
according to some switch passed to the Agent by the IdP itself (as a 
request param, for example) and then added by the Agent into the REST 
call which ends up in SAML2SPLogic.

Having a further setting for IdP conf to explicitly authorize 
IdP-initiated scenarios makes sense too, to me.


Francesco Chicchiriccò

Tirasa - Open Source Excellence

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

View raw message