I need to implement SSO functionality of one of our sites with a pre-existing authentication method. I have set up the site as a new service provider with our corporate IdP.
The corporate IdP is already in use by other subsystems. Certificates are in place, and we have configured POST Binding on both sides.
Not all users that log on said new service provider are known to the IdP, so I need to build kind of a hybrid solution. I have a simple asp.net form with a username and password input, and a login button. The Code behind on the button
at the moment just calls
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
My goal is to have only one login form. The logic I'm trying to implement is as follows:
1. User enters credentials in the ASP.net form (username + password)
2. entered credentials are checked against the IdP
3a. if IdP says credentials are valid, redirect user to the desired site
3b. if IdP says credentials are invalid, check them against to our existing authentication method and act accordingly
So the Identification always initiated by the Service Provider
Now I don't fully understand SAML yet since I'm new to this topic, so I have a couple of questions.
- Is this even possible, our does it break the SAML spec in some way ?
- Where does InitiateSSO know the username to send from the IdP from ?
- Can I send username and password within the saml request for authentication ?
Thanks in advance.