SAML: Communication between Service Providers?

Question

I've been tasked with writing a SP (Service Provider) for SAML v2.0 in ASP.NET, and I wonder the following;

If a user logs in on the main SP for a service (where my SP becomes accessible for a user as an anchor/link, unless previously bookmarked), and then requests access to my SP, how should I handle their login?

They will have logged in and become authorized by the IdP on the main SP, but how will that SP tell my SP that the user is logged in? Will I have to send a new authorization request to the IdP to determine whether the user is logged in or should it be passed on as post data/redirect with a query string from the SP?

I've read the technical overview as well as the basics, but they don't cover this part.

I will contact the main SP and ask how to proceed, but I wanted to cover my bases first and see if there's a standard way on how to deal with this situation.

Answer 1

The easiest thing to do is to have the "main SP" construct the link so that IDP-Init SSO is initiated for users to log into your application. So the user would show up with a new Assertion from the IDP (customer) to your SP.

You could also have them directly link to your site to invoke SP-Init SSO for the given Identity Provider/Customer.

Either way you choose to do this will require you to handle multiple use cases and options for SAML 2.0. You can have this up and running in short order if you want to check out the SaaS Partner Program offered by Ping Identity. www.pingidentity.com

Let me know if you'd like more info on what we've seen other