Special Configuration Scenarios: Identity Provider-Initiated Single Sign-On
Many instructions for setting up SAML federation begin with single sign-on (SSO) initiated by the service provider. The service provider returns a browser redirect so that the user authenticates using the identity provider. After authentication, the browser redirects the user back to the service provider with a SAML assertion containing information about the authentication status. This is common used for consumer-facing scenarios.
Alternative to service provider-initiated SSO
You might choose to begin with the identity provider initiating SSO instead of the service provider. The user:
Invokes the URL on the identity provider.
Is prompted to authenticate.
Is redirected to the service provider with a SAML assertion.
This is commonly used in enterprise scenarios. For example, an organization might set up a portal to ensure that users navigate to the correct application:
The user navigates to the portal's URL.
The user is redirected to the identity provider, which authenticates the user.
If successfully authenticated, the user clicks on the appropriate link.
The user is redirected to the service provider with a SAML assertion.
Risks of using an identity provider-initiated SSO flow
In general, Auth0 recommends that you use service-provided flows whenever available. When an application actively requests an authentication as a first step (as is the case for service provider-initiated flows), it can check that the authentication response matches the original request.
In identity provider-initiated scenarios, on the other hand, the application cannot verify that the user actually started the flow. Because of this, the identity provider-initiated flow opens the possibility of a Login CSRF attack, where an attacker can trick a legitimate user into using a session created by the attacker.
Login CSRF attacks are generally less of a concern in enterprise scenarios, as any would-be attacker would have to come from the same directory of users. But, it is definitely a security concern in consumer-facing applications. Auth0 strongly advises against enabling identity-provider-initiated flows on SAML connections.
Auth0 as service provider where identity provider initiates SSO
For information on how to configure identity provider-initiated flows when Auth0 is the service provider, see Configure SAML Identity Provider-Initiated Single Sign-On.
Auth0 as identity provider where identity provider initiates SSO
If Auth0 acts as the identity provider, you can use the application's SAML Sign In URL endpoint directly (without a SAML request):
Invoke the identity provider-initiated login using the following URL:
RelayStateparameter to the URL to which the service provider redirects the user after processing the SAML response. For example, the following URL is where the service provider redirects the URL after it has processed the SAML response from Auth0:
Note that it's up to the target application to accept identity provider-initiated flows and use the
RelayState parameter in a meaningful way if provided.