SAML service provider as identity provider to another service?

Question

Here is the scenario.

 1. Service Provider ABC.com is configured to accept credentials from IDP MNO.com.
 2. Service Provider is also configured as an Identity Provider for XYZ.com.
 3. User requests resource from ABC.com, is authenticated successfully against MNO.com.
 4. Now the user wants a resource from XYZ.com. 

XYZ will ask ABC if the user is authenticated. The user authenticated originally against MNO.com. MNO.com and XYZ.com do not know about each other. Do the credentials originally authenticated against MNO.com cross over to XYZ.com? In other words, will ABC.com consider the user authenticated and will it provider those credentials received from MNO.com to XYZ.com?

If not, is there a way to achieve this or does the original IdP (MNO.com) need to also service XYZ.com?

In short:

Identity Provider: MNO.com trusts SP: ABC.com
SP: ABC.com also configured as IDP to XYZ.com
SP: XYZ.com does not know about IDP: MNO.com

Do the credentials from MNO.com get passed to XYZ.com just because ABC.com is both an SP and Identity Provider?

Thanks

Answer 1

Ideally there will be one Identity provider (MNO.com) in your case. All associated Service provider need to be configured inside IDP. You have two SP "abc.com" and "xyz.com" which should be configured with MNO.com however abc.com and xyz.com not required to know each other.

Usecase: if user try to login xyz.com which is protected by IDP MNO.com then MNO.com will ask for credentials if not logged in previously. Now user will be able to access xyz.com and he want to access abc.com then request will go to IDP for authentication and got successful authentication due to previous session created by xyz.com. So user will be able to access abc.com without login again.

Let me know if you have any doubt.