Hi, I have the IDP Server and connector working where the user is already registered on the provider and the server initiates the authorisation. But is it possible to implement an SP initiated authorisation? i.e the new user is registered on the client application and then SAML passed to the IDP Server to register user on the server (and thus allow SSO on other applications).
Hi Steven,
Usually it works on the other way around, i.e., the user exists on IdP server and when a client logins for the first time with that user the SP created it on their side.
The SP send a SAML message to the IdP in order to create the user, from a IdP/SP architecture perceptive that doesn't make sense. If a new user came in, its must be properly configured on IdP first, and then the SP can login with it.
Of course that according with your requirements you may have the need to automate user creation on IdP side, and expose some API to do that. And you are ready to go and perform login from a SP.
This is not in scope from a SAML perpective, but again if you have that type of requirements on your ecosystem, then you will need to customize and expose some API to create users directly on Users table.
Regards.
I agree with Telmo, one way of achieving the same result would be to have users attempt sign in on the IdP and have users migrated to the IdP at that point.
For example,
Thanks Telmo, Dan,
I have implemented pretty much what Telmo said. I may change things to do it more like Dan's suggestion.
The catch is "I don't know the users password" because it is hashed on the SP (not Outsystems), but I have a plan for that.
Thanks again
Steve
Regardless the solution you came out, hand in mind to make sure that you kept security regarding BruteForceProtection, MaxUsernameAttempts, etc, (that is provided OOB by Users eSpace) when a user that its only on SP side and tries to login for instance with a force brute attack with a known username.