necessary Information to connect with an SSO provider

Question

Say that I have an application (service provider), and sell it to clients. The clients want to use SSO login instead of logging in using the application's credentials. So I want to create something like this so that I won't have to modify source code every time a the usage of a new SSO provider(SP) is required.

1. Client will open some thing called SP manager page
2. Client click add new sso provider to open the SP creation page
3. Client enter the necessary information to connect to the SP
4. When done, the user click Save to save the information
5. The user turn the newly create SP' status to On (mean yes I will use sso with this SP)
6. The user then logout and login again. Now the application will automatically redirect the user to the SP login page , if the login is success , the user will be redirected back to the application and logged into the system.

What I'm confuse is, how much information will be needed to implement this. As far as I know the following information is necessary.

• SP's endpoint URL (the url to send SAML request to)
• Fingerprint ? (Token code ? ) Is there anything else ?

One more thing, is the SAML format (layout definition) will be different for each SP or they will be all the same?

Thanks a lot for reading.

Answer 1

Your question does not state the language, SDK, platform details about your app. I assume you have not yet incorporated the SSO login into your app. Assuming that your application will not just be browser-limited, you need a HTTP client tool library like

curl — https://curl.se/download.html
HTTPie — https://httpie.io/
Postman — https://www.postman.com/downloads/
Insomnia — https://insomnia.rest/

Since my personal favorite is curl - the flow will be somewhat like this -

• CLIENT accesses the SP (Initiate the SSO flow – this is typically a “sign in” button or simply a request to a protected page) SP replies with a SAML AuthnRequest message (typically a 302 redirect to the IDP)

• CLIENT follows the redirect and sends the SAML AuthnRequest message to IDP

• If user is not already authenticated with the IDP a. IDP redirects to the IDP login page b. CLIENT submits credentials vial the login form to IDP c. IDP authenticates the user and redirects the user to continue with SSO

• IDP generates the SAML Response with the Assertion and sends it back to the CLIENT (typically this is a HTML page with an auto-posted form)

• CLIENT continues posting the SAML Response message to the SP

• SP receives the SAML Response message and authenticates the user based on the Assertion (if SSO is successful the SP typically replies with a “logged in” page or the protected content)

• CLIENT receives the SP response and evaluates if the SSO flow was successful (user is logged in)

This example uses a bash script, you can also use the curl C++ API. However, from personal experience, using a script will be faster in terms of development time. You can test using the CLI, and when satisfied, you can incorporate the CLI using a pipe into your application using python or C++.

You can add text input fields in your app to ensure your requirement is satisfied - I won't have to modify source code every time a the usage of a new SSO provider(SP) is required.