Single Sign On (SSO) Setup
Basic Single Sign On Setup
In order to get Single Sign On (SSO) configured with CaliberMind, we will need a few things from you and you will need a few things from us.
First, you'll need to provide us the Service Provider (SP) SAML federation configuration in an XML format. This metadata should contain, at a minimum:
- SSO/SLO endpoint: this is the endpoint used for IDP assertion request consumption
- IDP Initiated logout URL: this is the IDP Initiated login url for your application
- IDP (Signing) Certificate: can be provided separately
Once we have this data, we will configure the SSO connection and provide you with an endpoint which will point to an XML file containing:
- SP Entity Id/Provider Id
- SP Certificate
- Assertion Consumer Service URL
- Name Id Format
IdP-Initiated SSO flow (Advanced)
For IdP-Initiated Single Sign-On, we will provide you with a callback URL. This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider. The connection corresponding to the identity provider is specified in the querystring.
The name of the identity provider configured (provided by CaliberMind).
An IdP-Initiated Sign On SAML Response.
Risks of using an IdP-Initiated SSO flow
IdP-Initiated flows carry a security risk and are therefore NOT recommended. Make sure you understand the risks before enabling IdP-Initiated SSO.
In an IdP-initiated flow neither Auth0 (which receives the unsolicited response from the Identity Provider) nor the application (that receives the unsolicited response generated by Auth0) can verify that the user actually started the flow. Because of this, enabling this flow opens the possibility of an Login CSRF attack, where an attacker can trick a legitimate user into unknowingly logging into the application with the identity of the attacker.
The recommendation is to use SP-Initiated flows whenever possible.