Reputation: 70
Silent SAML authentication?
I'm trying to authenticate users with the SAML protocol. So far I have two applications in two different identity providers (Auth0 and OneLogin) to test. I also have my service provider. What I'm trying to do is authenticate users without redirecting them to any Identity Provider login form. Something like this:
- The user tries to log in to my application (made in React)
- My server provider receives the request made by the user and sends the credentials (username and password) to an identity provider using the SAML protocol.
- The identity provider validates the credentials, if they are correct, return a SAML assertion to my server provider; otherwise, it will return an error.
- Depends on the identity provider's response if the content is sent to the user or not.
I know that it is not the intended use of SAML, but I want to know if there is a way to do it and how it will be possible.
Any help or advice will be well received, thank you.
Upvotes: 1
Views: 1435
Answers (1)
Reputation: 1367
That's not how SAML works and I'm not aware of any SAML identity providers that accept the user's name and password.
It is possible to include the user's name in the SAML authn request sent to the identity provider but there's no provision for including a password.
I think there are a number of security considerations if you were to prompt a user for their credentials for one web site (ie the identity provider) at a different web site (ie service provider).
Using SAML SSO, if the user isn't already authenticated at the identity provider, it will prompt the user to login.
Upvotes: 1
Related Questions
- Can SAML do Authorization?
- Is SAML an Authentication mechansim?
- Can i use checkSession with SAML?
- SSO - SAML request
- Authentication using SAML
- SAML 2.0 password authentication
- SAML 2.0 IsPassive option
- Saml Authentication Request Protocol Id
- Is this a correct use case for SAML?
- SAML for SharePoint 2010 Authentication