[Satosa-dev] Unsolicited SSO

Matthew X. Economou xenophon at irtnog.org
Thu Apr 19 12:53:07 UTC 2018


Hey everyone,

I am writing a SATOSA front end that implements SAML 2.0 IdP-initiated
(unsolicited) SSO.  Currently, I plan to generate a SAML AuthnRequest
using a request variable (`providerID`) that names the service provider.
Eventually, I'd like to implement the same interface as Shibboleth
(request variables `shire`, `target`, and `time`) because I'm just not
that creative.

I have some (well, a lot of) questions:

  - How do I get a list of SAMLFrontend endpoints?

  - There could be more than one SAMLFrontend configured.  How would I
know which one to use?

  - I don't want to rely on JavaScript or the user to submit a form.
Can I send the AuthnRequest to the selected SAMLFrontend's HTTP-Redirect
endpoint via satosa.response.Redirect?

  - Is it OK to omit the RelayState?

  - In the SAML AuthnRequest, can I specify
AssertionConsumerServiceIndex="0"?

  - If not, how do I look up the SP's AssertionConsumerServiceURL?

  - In the SAML AuthnRequest, can I omit the Destination?

  - If not, which endpoint should I set Destination to---HTTP-Redirect
or HTTP-POST?

  - If I construct the redirect URL manually, do I base64-encode the
AuthnRequest using Python's base64.urlsafe_b64encode()?

  - Should I use the urllib or requests library to construct the URL
instead?

Thanks in advance!  :)

Best wishes,
Matthew

-- 
"The lyf so short, the craft so longe to lerne."



More information about the Satosa-dev mailing list