Configuring SP to send assertions to IDP (PingFederate SAML 2.0)

2018-06-21 09:50:41

I'm working on configuring a SP to connect to another IDP using SAML 2.0 and browser SSO. I've finished all of the setup, but am unable to figure out how or if it's possible to send assertions to the IDP. Doesn't the IDP normally send the assertions back to the SP? When I navigate to the IDP's ACS URL I can't get access to the login page because I'm missing these SAML assertions.

My specific use case is setting up through PingFederate.

Thanks!

You're correct - the IdP sends assertions back to the SP, not the other way around. The SP can send some data to the IdP in an authentication request - but typically that's just the partner ID and (in some rare cases) a subject/username to tell the IdP who it's requesting to be authenticated.

"Navigating" to the IdPs ACS URL isn't something the end user's browser should normally be doing. The ACS URL is a protocol endpoint where the assertion will be sent from the IdP - often via an HTTP POST that is auto submitted by the browser, initiated by IdP on the user's behalf.

If you want the SP to send an authentication request to the IdP from PingFederate, you can use the SP application endpoints (namely /sp/startSSO.ping) for that. Those endpoints are described here: https://documentation.pingidentity.com/pingfederate/pf90/index.shtml#concept_spServices.html#concept_spServices

链接地址: http://www.djcxy.com/p/60124.html

上一篇: 加入与子

下一篇: 配置SP将断言发送给IDP（PingFederate SAML 2.0）