SP initiated SSO flow VS IDP initiated SSO flow
What does actually mean by SP initiated Single Sign-on and IDP initiated Single Sign-on? Before directly getting to the main topic, it’s better to get a brief idea about what is a single sign-on(SSO), how it works and the terms like SP, IDP.
a. What is actually a single sign-on?
In simple terms, SSO[1] is an authentication process that allows a user to access multiple applications with one set of credentials by logging only once. that means once you log in to the application with your credentials, you do not need to repeatedly log in other application linked.
The best example for this scenario is log in to google service. whenever you access the Google services like Gmail, you automatically redirect to your google account to log in. once logged in google account provides authentication cookies and redirects back to Gmail.after while when you try to access some other google services like youtube, again you will be redirected to the google account which validates the existing cookie and allows you to access youtube. Single sign-on is platform-independent process. protocols like Oauth, SAML are used to implement the SSO in various domains. Simply SSO is the place where you can use the single safe key to unlock several locks. So that’s brief about SSO. will meet in another post with more information about SSO.
Now back to the original topic. To get into the topic, terms called SP and IDP should clarify first.
b.What is a Service Provider(SP)
Term SP is illustrating the service provider. A service provider works as a federated partner which serves the service to end-users.most often service provider relying on the identity provider. which means SP does not authenticate the user instead it requests the authentication decisions from the identity provider. service provider maintains the local account along with user attribute that unique to the service which is provided by the SP.
c. What is an Identity Provider(IDP)
The identity provider’s responsibility is to authenticate the user and confirmed it to the service provider. For authenticating the user either IDP can directly validate the user credentials(username and password) or indirectly by validating user assertions presented in the separate identity provider.
First, let’s look at how SP initiated SSO flow works. Here it has described as very simple way. To get more and deep understanding please refer [3].
How SP initiated SSO flow works
The main feature of SP initiated SSO flow is the authentication process starting from the service provider domain. The whole process can be simply divided as following steps.
1-User requests the resource from SP application
2-Once SP application gets the user request and determines the user has a valid token, if not SP creates the SAML authentication request and redirects to the IDP.
3-After IDP receives the request IDP validate that user is authenticated or not. If not it redirects to the authentication. (to validate user WSO2 identity server can be used)
4-Once authentication has done, IDP creates the SAML response with SAML assertion containing the all required user attributes and redirects back to the SP.
5- SP validates the SAML assertion and creates the SSO session for the user. then SP allows accessing the resources that user requested.
Now let’s find out how IDP initiated SSO flow works. the simplest explanation is described here and to get more understanding please refer [3].
How IDP initiated SSO flow works
Basically IDP initiated flow starts from the IDP domain.
1- User start the initiate the request from IDP by clicking IDP link(some particular URL)
2- Then IDP validate the user is authenticated or not.if not, user redirects to authenticate (To validate the user WSO2 Identity Server can be used)
3- Once validate the user, IDP creates the SAML response with SAML assertion containing the user attributes and other authentication parameters and redirects to the SP
4- After getting the SAML response from the IDP the SP converts the SAML assertion to
SP application token and creates the SSO session that can redirect the user to resource application.
Hence user directly connects with the IDP in IDP initiated SSO flow instead of connecting with SP domain to authenticate the request. After the authentication process has done in the IDP domain the user redirects to SP resource application.that is the main difference of the SP initiated SSO flow and IDP initiated SSO flow. So that is the basic picture of the SP and IDP initiated SSO flow.
Cheers.
Reference
[1]http://www.opengroup.org/security/sso/sso_intro.htm
[3]https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso
[4]https://blog.jlurena.me/2019/05/03/idp-initiated-vs-sp-initiated-sso/
[5]http://jamsheert.blogspot.com/2015/08/difference-between-idp-initiated-sso.html
