0

Ok, so my system is a SAML2 SP. We have tested it on SSOCircle (public saml idp test harness) and it works.

Now we're trying to set it up with a customer (who is an IdP). My question is, if we're doing an IdP Initiated SSO - does the IdP need to be visible to the SP? (the idp is not accessible via web) Or does it not matter, so long as the IdP can post to the SP? (The SP is publicly visible).

My assumption is it doesn't. Correct?

Oliver McPhee
  • 1,010
  • 10
  • 18
  • IdP and SP must establish their trust with each other for them to talk. If one is invisible to other, then there won't be any communication. Other party simply rejects SAMLRequest or SAMLResponse, as it doesn't know who is sending the request/ response. Can you explain a bit more on your use case? – Zeigeist Jul 21 '16 at 04:45
  • An IdP is sending a SAMLResponse to our ACS. It is IdP-inititaed SSO, so it's only 1 way traffic here (IdP -> SP). The IdP can see the SP, but not the other way around. The issue we're getting is around nostate (we're the SP and using simplesaml). We do receive the saml response though - the SAML Tracer shows us this. – Oliver McPhee Jul 21 '16 at 11:51

1 Answers1

1

It really depends on the binding you're using. If you're using the POST binding, indeed, all communications between the IDP and the SP go through the browser and IDP and SP doesn't need to communicate directly.

This is not the case with the Artifact binding where the SP needs to fetch the token on the IDP.

sk_
  • 2,105
  • 17
  • 31
  • Yep - it's HTTP Post. We're getting a nostate error when we try this integration. We (the SP) are receiving a SAML Response to our ACS service - so we don't understand where its going wrong. – Oliver McPhee Jul 21 '16 at 11:52
  • Not sure about the error message, but the "no state" error can mean that your SP is expecting a response only in a SP-initiated flow. In a SP-initiated flow, the SP expects a RelayState parameter sent with the response. This parameter is not sent in an IDP-initiated flow. – sk_ Jul 21 '16 at 19:57