- 08 Jul 2024
- 1 Minute to read
- Print
- DarkLight
IDP Initiated vs SP Initiated SSO with RapidIdentity
- Updated on 08 Jul 2024
- 1 Minute to read
- Print
- DarkLight
Within SAML, there are two main types of login flows: those initiated by identity providers (like RapidIdentity) and those initiated with service providers (such as google, canvas, etc)
Identity Provider (IdP): the system that maintains user identities and issues SAML responses on behalf of the customer. For our purposes RapidIdentity is the IdP. Please note that some vendors will refer to this as an unsolicited SSO.
Service Provider (SP): the app or website that users attempt to log into. In SAML, they receive both user identities and control user access to resources from the Identity Provider via a SAML assertion. In our examples this will be applications such as google, canvas, HMH, etc.)
The phrases SP-Initiated SSO or IdP-Initiated SSO refers to where the authentication process begins
SP-Initiated - The authentication process will start with the service provider which will create the SAML request then redirect to the identity provider for authentication. The majority of applications configured within RapidIdentity are SP-Initiated. This means that the application icon in RapidIdentity will be similar to https://mail.google.com. The application will open up the application and then direct back to the IdP (RapidIdentity) for the authentication process. Additionally with this type of authentication the user can also go direct to https://mail.google.com and will be directed back to RapidIdentity for authentication.
IdP-Initiated - The authentication process will start with the identity provider which will create the SAML assertion and sends it to the service provider. When this type of authentication is used the application in RapidIdentity will be similar to https://district.us001-rapididentity.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://mail.google.com. When using IdP-Initiated the providerid will be set to the entityID that is in the metadata of the application in Configuration -> Security -> Identity Providers -> Federation Partners. When using this type of authentication the end user will only be able to use SSO when launching the application within RapidIdentity. If the user directly accesses the application at https://mail.google.com it will not direct back to RapidIdentity for authentication.