locked
IDP initiated vs SP initiated sign-on- ADFS .3.0 RRS feed

  • Question

  • Hi,

    Which is more preferrable IDP initiated sign-on or SP initiated sign-on and WHY..??

    Please advise


    Nidhi sharma

    Monday, July 17, 2017 1:46 PM

Answers

  • So here we are talking SAML. This is my personal opinion and this is totally open to criticism :) 

    Once upon a time, the OASIS folks decided to publish the specs for SAML1. At the beginning, there was only IDP Initiated Sign-On available. So the user needed to go to the IDP first. That kinda made sense at the time since it was mainly on-prem applications and centralized administration and network. The Shibboleth (open source IDP) folks looked at it and thought they could improve it. They created an extension which enabled applications to redirect the user to the IDP if it wasn't authenticated yet, the premise of SP-Initiated Sign-On. This extension was so neat that it became a part of the specs in SAML2.

    So when you think about it, IDP Initiated Sign-On is an old school stuff "designed" back in the days when the IT wasn't this cloud oriented world with SaaS and trust everywhere. Besides, it sometimes assumes that the user needs to know where to go authenticate (since knowing the URL of the application isn't enough). Well, you can craft a URL which will include the name of the SP to reduce the steps the users has to go through but still... You can also manage a RelayState information which will enable the user to give more context to the application once redirected but that's a bit off topic. If you want to be able to do IDP Initiated Sign-On with ADFS the user will have to go the to adfs/ls/idpinitiatedsignon.aspx page. And this page will show anonymously all the SP you are currently having which use SAML (not the one using WS-Fed nor OAuth). So there is a potential privacy issue here. To a point that ADFS on Windows Server 2016 even have this page disabled by default.

    So, IMO I would pick SP-Initiated Sign-On or even better, would go for a more recent protocol which have plenty of cool options: OAuth2 (coupled with OIDC for the authentication part).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, July 17, 2017 6:32 PM

All replies

  • So here we are talking SAML. This is my personal opinion and this is totally open to criticism :) 

    Once upon a time, the OASIS folks decided to publish the specs for SAML1. At the beginning, there was only IDP Initiated Sign-On available. So the user needed to go to the IDP first. That kinda made sense at the time since it was mainly on-prem applications and centralized administration and network. The Shibboleth (open source IDP) folks looked at it and thought they could improve it. They created an extension which enabled applications to redirect the user to the IDP if it wasn't authenticated yet, the premise of SP-Initiated Sign-On. This extension was so neat that it became a part of the specs in SAML2.

    So when you think about it, IDP Initiated Sign-On is an old school stuff "designed" back in the days when the IT wasn't this cloud oriented world with SaaS and trust everywhere. Besides, it sometimes assumes that the user needs to know where to go authenticate (since knowing the URL of the application isn't enough). Well, you can craft a URL which will include the name of the SP to reduce the steps the users has to go through but still... You can also manage a RelayState information which will enable the user to give more context to the application once redirected but that's a bit off topic. If you want to be able to do IDP Initiated Sign-On with ADFS the user will have to go the to adfs/ls/idpinitiatedsignon.aspx page. And this page will show anonymously all the SP you are currently having which use SAML (not the one using WS-Fed nor OAuth). So there is a potential privacy issue here. To a point that ADFS on Windows Server 2016 even have this page disabled by default.

    So, IMO I would pick SP-Initiated Sign-On or even better, would go for a more recent protocol which have plenty of cool options: OAuth2 (coupled with OIDC for the authentication part).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, July 17, 2017 6:32 PM
  • Thanks alot Pierre. :)

    Whenever I post any query here, I always expect your answer. Thanks for all your help and support. :)


    Nidhi sharma

    Monday, July 17, 2017 7:38 PM
  • Well, you are welcome mate :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 18, 2017 1:23 PM
  • Well, I have posted another query in the below link. I think you can help me again.

     

    https://social.technet.microsoft.com/Forums/en-US/a275dc78-38a3-43a4-9baf-ebefe23a796c/sp-initiated-url-gives-internal-server-error-adfs-30?forum=ADFS

    Thanks in advance :)


    Nidhi sharma

    Tuesday, July 18, 2017 7:23 PM