Differences between SP initiated SSO and IDP initiated SSO

Question

Can anyone explain to me what the main differences between SP initiated SSO and IDP initiated SSO are  including which would be the better solution for implementing single sign on in conjunction with ADFS   OpenAM Federation

User · Answer

SP Initiated SSO  Bill the user   Hey Jimmy  show me that report   Jimmy the SP   Hey  I m not sure who you are yet  We have a process here so you go get yourself verified with Bob the IdP first  I trust him    Bob the IdP   I see Jimmy sent you here  Please give me your credentials    Bill the user   Hi I m Bill  Here are my credentials    Bob the IdP   Hi Bill  Looks like you check out    Bob the IdP   Hey Jimmy  This guy Bill checks out and here s some additional information about him  You do whatever you want from here    Jimmy the SP   Ok cool  Looks like Bill is also in our list of known  guests  I ll let Bill in    IdP Initiated SSO  Bill the user   Hey Bob  I want to go to Jimmy s place  Security is tight over there    Bob the IdP   Hey Jimmy  I trust Bill  He checks out and here s some additional information about him  You do whatever you want from here    Jimmy the SP   Ok cool  Looks like Bill is also in our list of known  guests  I ll let Bill in      I go into more detail here  but still keeping things simple  https   jorgecolonconsulting com saml-sso-in-simple-terms

User · Answer

https   support procore com faq what-is-the-difference-between-sp-and-idp-initiated-sso There is much more to this but this is a high level overview on which is which  Procore supports both SP- and IdP-initiated SSO  Identity Provider Initiated  IdP-initiated  SSO  With this option  your end users must log into your Identity Provider s SSO page  e g   Okta  OneLogin  or Microsoft Azure AD  and then click an icon to log into and open the Procore web application  To configure this solution  see Configure IdP-Initiated SSO for Microsoft Azure AD  Configure Procore for IdP-Initated Okta SSO  or Configure IdP-Initiated SSO for OneLogin  OR Service Provider Initiated  SP-initiated  SSO  Referred to as Procore-initiated SSO  this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the Identify Provider  e g   Okta  OneLogin  or Microsoft Azure AD   Once the IdP authenticates the user s identify  the user is logged into Procore  To configure this solution  see Configure Procore-Initiated SSO for Microsoft Azure Active Directory  Configure Procore-Initiated SSO for Okta  or Configure Procore-Initiated SSO for OneLogin

User · Answer

In IDP Init SSO  Unsolicited Web SSO  the Federation process is initiated by the IDP sending an unsolicited SAML Response to the SP  In SP-Init  the SP generates an AuthnRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with a SAML Response  IMHO ADFSv2 support for SAML2 0 Web SSO SP-Init is  stronger than its IDP-Init support re  integration with 3rd Party Fed products  mostly revolving around support for RelayState  so if you have a choice you ll want to use SP-Init as it ll probably make life easier with ADFSv2   Here are some simple SSO descriptions from the PingFederate 8 0 Getting Started Guide that you can poke through that may help as well -- https   documentation pingidentity com pingfederate pf80 index shtml gettingStartedGuide task idpInitiatedSsoPOST html

User · Answer

IDP Initiated SSO  From PingFederate documentation  - https   docs pingidentity com bundle pf sm supportedStandards pf82 page task idpInitiatedSsoPOST html  In this scenario  a user is logged on to the IdP and attempts to access a resource on a remote SP server  The SAML assertion is transported to the SP via HTTP POST   Processing Steps    A user has logged on to the IdP  The user requests access to a protected SP resource  The user is not logged on to the SP site  Optionally  the IdP retrieves attributes from the user data store  The IdP   s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes  The browser automatically posts the HTML form back to the SP    SP Initiated SSO  From PingFederate documentation - http   documentation pingidentity com display PF610 SP-Initiated SSO--POST-POST  In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on  The user does not have an account on the SP site  but does have a federated account managed by a third-party IdP  The SP sends an authentication request to the IdP  Both the request and the returned SAML assertion are sent through the user   s browser via HTTP POST   Processing Steps    The user requests access to a protected SP resource  The request is redirected to the federation server to handle authentication  The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP  The HTML form is automatically posted to the IdP   s SSO service  If the user is not already logged on to the IdP site or if re-authentication is required  the IdP asks for credentials  e g   ID and password  and the user logs on  Additional information about the user may be retrieved from the user data store for inclusion in the SAML response   These attributes are predetermined as part of the federation agreement between the IdP and the SP  The IdP   s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes  The browser automatically posts the HTML form back to the SP  NOTE  SAML specifications require that POST responses be digitally signed   Not shown  If the signature and assertion are valid  the SP establishes a session for the user and redirects the browser to the target resource

[single-sign-on] Differences between SP initiated SSO and IDP initiated SSO

SP Initiated SSO

IdP Initiated SSO

Examples related to single-sign-on

Examples related to adfs2.0

Examples related to openam