0

In a multiple SPs and a single IdP scenario, why the SP-Initiated profile is called SSO if the user needs to enter the credentials whenever he or she tries to login to a different SP?

On the other hand, IdP-Initiated is a true SSO system because the user doesn't have to re-enter the credentials every time he or she tries to login to a different SP.

Any help clarifying this matter would be very appreciated.

Thanks!

Edenshaw
  • 1,692
  • 18
  • 27
  • Once user via SP A has initiated and finished request, he is logged in to IdP. If user tries to log-in via SP B, IdP has to verify user consent to send his claims to SP B; if this consent was provided already in the past there should be no need to enter credentials into IdP again and he should just seemlesly log in. – Ondrej Svejdar Feb 24 '14 at 20:31

1 Answers1

0

I am not sure that your statement is correct - in a multiple SPs and a single IdP scenario, the user DOES NOT need to enter the credentials whenever he tries to login to a different SP. For example, the user tries to access the first SP, gets redirected to the IDP, and asked for his creds (credentials). Since then, he does not have to re-enter his creds - so if he tries to access another SP, he again will be redirected to the IDP, that will issue the token without asking for the creds.

OhadR
  • 8,276
  • 3
  • 47
  • 53