1

We want to send visitors on our website over to a business partner's website. The visitor arrives at our website, surfs around for a while, and then she may click on a particular link that requires her to be sent over to our partner's website to view a particular resource. The partner requires a signed SAML20 assertion. We are the Identity Provider in this scenario. And we are initiating the handshake. Our user is not visiting the partner's site first.

When our ultimate goal is to have our user be on the partner's website reading one of the partner's html pages, what mechanism do we use to post the signed assertion to the partner's website URL and then convey our user over to the partner's URL?

Do we have to inject the assertion attributes into hidden form elements and inject a javascript submit() action into the form's onload event, making the partner's URL the submission target? Is that considered "best practice"?

Or do we instantiate an HttpWebRequest which posts the assertion? If so, what then? How do we get our user over to the partner's site after posting an assertion to them?

Tim
  • 8,669
  • 31
  • 105
  • 183

1 Answers1

2

You should use the Http Post binding as described in the "bindings" section of the SAML Specifications.

Basically, it is a form with hidden fields that is auto-posted by javascript to the partner's site's assertion consumer service url.

Once the partner's assertion consumer service has consumed the saml assertion, the partner's site should redirect the user to the right page. The standard allows custom fields to be used in addition to the saml assertion, which makes it possible to tell the partner's site where the user should be redirected when the authentication is done.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217