Enhanced User Experience SP-Initiated SSO
  • 23 Feb 2024
  • 2 Minutes to read
  • Dark
    Light

Enhanced User Experience SP-Initiated SSO

  • Dark
    Light

Article summary

Abstract

Cross-origin resource sharing (CORS) is an enhanced user experience option for clients during their SSO implementation. Given the IdP is accessible, with CORS:

  • The end user does not have to make any decision/take any action to choose the appropriate login page.

  • The Infinite BrassRing Platform is enabled to display the correct login page for that specific user automatically

Technical Description

Abstract

To direct the user to the corresponding authentication service:

  1. A CORS preflight request is initiated to reach the IdP login page.

  2. If the IdP is:

    1. Reachable (i.e., the server returns an Access-Control-Allow-Origin header containing the host name of the Infinite BrassRing Platform login page), the user is redirected to the IdP for authentication.

    2. Not reachable (i.e., HTTP 404), the user is redirected to the Infinite BrassRing Platform login page. In addition, if the IdP cannot be reached, the Infinite BrassRing Platform login page displays a link to the IdP login page. This way, if users need to authenticate via the IdP, they can still reach the IdP login page.

      In this configuration, client:

    • Has one IdP.

    • Has private target IdP resource.

    • Permits all licensed Infinite BrassRing Platform users in their IdP to access the Infinite BrassRing Platform via SSO.

    • Needs to implement Cross Origin XHR on their servers.

      Note that:

    • Only HTML 5 browsers will be available to use this functionality.

    • Non HTML 5 browsers will redirect the user to the Infinite BrassRing Platform login page and have the option to access their IdP using a link.

      Below is a diagram of enhanced user experience SP-initiated SSO.

      SP-initiated SSO

      image3.png

Workflow

Abstract

As shown in the diagram, the SP-initiated SSO process is as follows:

  1. The user requests access to a protected Infinite BrassRing Platform resource. The user is not logged on to the Infinite BrassRing Platform site. The request is redirected to the federation server to handle authentication.

  2. The browser initiates a CORS Preflight Request to the IdP. Refer to the CORS section of this document for more information.

  3. If the IdP login page is not reachable (i.e., HTTP 404 is returned) then the user is redirected to the Infinite BrassRing Platform login page for authentication.

  4. If the IdP login page is reachable (i.e., the server returns an Access-Control-Allow-Origin header containing the host name of the Infinite BrassRing Platform login page), then the federation server sends a HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP's SSO service.

  5. If the user is not already logged on to the IdP site or if re-authentication is required, then the IdP asks for credentials (e.g. username and password) and the user logs on.

  6. The IdP federation server generates an assertion, creates an artifact, and sends a HTTP redirect containing the artifact through the browser to the Infinite BrassRing Platform federation server.

  7. (Not shown) If a valid assertion is received, then a session is established on the Infinite BrassRing Platform and the browser is redirected to the target resource.