Summary
SAML has the concept of logging into the IdP system, which means that the identification side (IdP) can send an unsolicited token to the Relying Party (RP / consumer application), and the user can log in without calling to the IDF. I have a scenario where I need to do this, but I want the ThinkTecture Identity Server v3 to be in the middle, as I will handle my normal auth (as in everyday work without SAML). I canβt call SAML IdP for reasons beyond my control. I would like to do the following:
I spent a little time on this, and I also looked at the spec , which talks about initiating login from a third party, but if I understand it correctly, it still starts from a third party, directing the user to the RP, which then sends a request to logging into IdP (which will be the ThinkTecture authentication server), which is not really what I need.
In general, I don't think OpenID Connect has the equivalent of SSO with SAML IdP support. Is this correct or am I just unable to figure it out, or is it that ThinkTecture IdentityServer does not support it?
More details
- I have successfully used KentorIT AuthServices OWIN Middleware to implement IdP-initiated SAML SSO directly on the website, without using IdSrv at all.
- I also integrated Kentor OWIN middleware with IdSrv so that my site is redirected to IdSrv, which then redirects to the SAML server, where I log in, return to IdSrv, which then transfers the SAML token and sends the OpenID authentication token back to my site.
- For fun, I also used the Kentor library to just have an MVC controller that decompresses the SAML token, so if I wanted to, I could do manual authentication with that.
Everything works pretty nicely thanks to ThinkTecture and KentorIT. Alas, it all starts from my site and ends with a redirect to the SAML server, which I cannot do in my script for non-technical reasons.
Alternative solution
I can, of course, do without IdSrv alltogether in this scenario, but I have reasons for IdSrv in the middle and all my authentications go through this. So my thinking at the moment is to make this thread:
- The SAML server sends the SAML token to a specific URL on my website.
- My site will repost this token on the Identity server as is. The Identity server has KentorIT OWIN middleware installed, so it will simply log in to IdSrv, which means IdSrv sets the auth cookie.
- IdSrv does a simple redirect back to another url of my website and does not contain any tokens. So far, this really has nothing to do with IdSrv.
- My website now issues an authentication request in IdSrv
- Since the user has already registered with IdSrv, IdSrv will immediately respond and redirect the user back to my site using Identity Token
This is a lot of redirects, but it should work.
Before I start implementing it, can someone tell me if this is the right way to go, or will I miss something really obvious?
EDIT 1
This idea doesn't seem to work either. Essentially, what I need to do is to use the IdP initiated by SAML SSO to authenticate to Identity Server, then redirect to RP and force the RP to redirect to Identity Server with authentication request. However, as far as I can tell, there is no way to get Identity Server to register, except as part of an RP request. In other words, even though my SAML middleware gladly accepts an unwanted token, IdSrv ignores the SAML middlewares request to register it (which, I suppose, is fair enough).
So, I think that an alternative solution is to write a controller that can check the SAML token and directly call IdSrv in the code running on the same server and tell him to enter the user into the system with the manually created command I.
(new) question: Does Identity Server provide a mechanism for the user to enter code, so does Identity Server set the appropriate cookies for the user ?