[IdPServer] Using IDP componet with SP initiated authorisation

[IdPServer] Using IDP componet with SP initiated authorisation

  
Forge Component
(2)
Published on 2017-12-04 by Telmo Martins
2 votes
Published on 2017-12-04 by Telmo Martins

Hi, I have the IDP Server and connector working where the user is already registered on the provider and the server initiates the authorisation. But is it possible to implement an SP initiated authorisation?  i.e the new user is registered on the client application and then SAML passed to the IDP Server to register user on the server (and thus allow SSO on other applications).

 

Hi Steven,

Usually it works on the other way around, i.e., the user exists on IdP server and when a client logins for the first time with that user the SP created it on their side.

The SP send a SAML message to the IdP in order to create the user, from a IdP/SP architecture perceptive that doesn't make sense. If a new user came in, its must be properly configured on IdP first, and then the SP can login with it.


Of course that according with your requirements you may have the need to automate user creation on IdP side, and expose some API to do that. And you are ready to go and perform login from a SP.

This is not in scope from a  SAML perpective, but again if you have that type of requirements on your ecosystem, then you will need to customize and expose some API to create users directly on Users table.


Regards.

I agree with Telmo, one way of achieving the same result would be to have users attempt sign in on the IdP and have users migrated to the IdP at that point.

For example, 

  1. User attempts to sign in to the IdP, if the user account isn't known to the IdP already...
  2. The IdP checks your SP's list of known users and that the password the user entered is correct
  3. If the user exists in the SP and the password they entered is correct, migrate that user account to the IdP
    1. If the user doesn't exist in the SP, they would need to sign up/register anyway
    2. if the password they entered is wrong, they would need to enter the correct one to sign in anyway
  4. User is signed in and migrated to the IdP

Thanks Telmo, Dan,


I have implemented pretty much what Telmo said.  I may change things to do it more like Dan's suggestion.

The catch is "I don't know the users password" because it is hashed on the SP (not Outsystems),  but I have a plan for that.


Thanks again

Steve

Hi Steven,

Regardless the solution you came out, hand in mind to make sure that you kept security regarding BruteForceProtection, MaxUsernameAttempts, etc, (that is provided OOB by Users eSpace) when a user that its only on SP side and tries to login for instance with a force brute attack with a known username.


Regards.