0

I'm building SP initiated single sign-on, and I wondered what the best practice was for determining which identity provider to redirect a user to.

Here are the options I've come up with:

  • /SSO/Logon/Acme, where Acme is a name of a known IdP.

    We know the endpoint url for this provider, and redirect the user. The downside, is that an anonymous user can detect what IdPs we support by guessing names and checking for a redirect.

  • /SSO/Logon/1, where 1 is the id of an identity provider.

    Same problem.

  • /SSO/Logon?endpointUrl=http://idp.acme.com

    We blindly redirect an AuthnRequest to any endpoint, and unauthorized endpoints will be rejected when they respond

  • /SSO/Logon/ABCDEFG where ABCDEFG is a cryptographically secure random string

    We lookup the endpoint url associated with this key, and know where to redirect. Similar to first two options, but not guessable

This must be a solved problem. What's the best way to handle this?

John Gibb
  • 10,603
  • 2
  • 37
  • 48
  • Using a name like Acme is better then using a number like 1 from user point of view. Why you concerning about detecting a list of identity provider? For example, Azure ACS by default show all allowed providers and it is not a problem, don't use http://en.wikipedia.org/wiki/Security_through_obscurity, just create a good-secured identity provider. – Danila Polevshchikov Jul 18 '13 at 13:50
  • It's a privacy concern, not a security concern. It's an enterprise site that will have clients with their own IdPs; we don't want someone to detect our clients by guessing URLs. – John Gibb Jul 18 '13 at 15:13
  • I'm not aware of any best practice for this situation, but your third option looks good to the user and will not give away your clients, so I'd go with that one. – 79E09796 Jul 19 '13 at 13:03

0 Answers0