Single Sign On SAML Interception

Question

I'm working on a research about some new usage of SSO. Basically I'm trying to find way how to intercept SAML Request which is sent from Service Provider to Identity Provider with some kind of IdP proxy or 3rd party service, which will hold the SAML Request and will provide some additional functionality to users. The desired process could look like this:

1. User invokes SAML request from SP - click Login button for example
2. User is redirected to the 3rd party service, where is, for example, small survey(this is theoretical example)
3. After submitting the survey, user is redirected to the IdP and should continue with login

I have quite good experience with SimpleSAMLphp and configuring federation. But I my attempts to find some useful information about this kind of interception have failed. I add a super basic picture of the solution.(please don't laugh:) )

Does SAML support any kind of this processing? I'm open for discussion. I was also thinking to intercept the SAML after user signs in on IdP(to have redirection from IdP to 3rd part service proxy and then to SP)

Thank you for advices and your thoughts; hopefully, it's not totally stupid question

---

EDIT: During my research I came across technology/approach which is called IDP Proxy. Do you think that is feasible for my purpose? Basically, a SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs. More about it for example here

Answer 1

I don't think this is possible, it's simply beyond the protocol. The SP provides a service, the IdP is responsible for user authentication. There seems to be no place for a 3rd party service between the two.

I guess you control (at least) either the SP or the IdP. Try to implement your survey (or whatever) at the provider you control.

As an alternative, you could try to implement your own IdP including a survey (or whatever) that uses the original IdP for authentication.