IdP-Initiated SSO
Identity Provider initiated Single Sign-On where the IdP sends an unsolicited SAML Response to the SP without a preceding AuthnRequest (saml-profiles §4.1.5). The user starts at the IdP portal and selects an application to access. This flow has inherently weaker security properties than SP-initiated SSO because the SP cannot correlate the response to an original request, making replay and CSRF attacks harder to detect.
IdP-Initiated SSO
Identity Provider initiated Single Sign-On where the IdP sends an unsolicited SAML Response to the SP without a preceding AuthnRequest (saml-profiles §4.1.5). The user starts at the IdP portal and selects an application to access. This flow has inherently weaker security properties than SP-initiated SSO because the SP cannot correlate the response to an original request, making replay and CSRF attacks harder to detect.
Sequence Diagram
Click any step for details
Step-by-Step Breakdown
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.