IdP-Initiated SSO

Identity Provider initiated Single Sign-On where the IdP sends an unsolicited SAML Response to the SP without a preceding AuthnRequest (saml-profiles §4.1.5). The user starts at the IdP portal and selects an application to access. This flow has inherently weaker security properties than SP-initiated SSO because the SP cannot correlate the response to an original request, making replay and CSRF attacks harder to detect.

Try in Looking Glass
XML-BasedSSO

Sequence Diagram

Click any step for details

UserIdPSP1User Selects Application at IdP2IdP Creates Unsolicited Response3POST Response to SP4SP Validates Unsolicited Response5Session Created and Access Granted
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
User Selects Application at IdP
UserIdentity Provider
2
IdP Creates Unsolicited Response
Identity ProviderIdentity Provider
3
POST Response to SP
Identity ProviderService Provider
4
SP Validates Unsolicited Response
Service ProviderService Provider
5
Session Created and Access Granted
Service ProviderUser

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.