Idp initiated SSO clarification

I am trying to setup an IdP initiated SSO connection in Auth0 using OpenID Connect Response protocol with default redirect_uri. I understand that the redirect_uri, if empty, would use the first allowed callback in my application.

After SAML assertion is processed by Auth0, it seems Auth0 will talk to the application associated with this SSO connection. In OpenID Connect, it’s always the application that talks to Auth0 to request the authorization code in a web application use case. I wonder whether Auth0 would send the authorization code to the callback after the SAML assertion is verified.

In this case, even if the application hasn’t initiated an Open ID Connect flow, does my application receive the code at the callback?

Additional Data :
What is the URL to the resource(s) you consulted?

Your interpretation is correct in terms that if you indeed choose to handle SAML IdP-Initiated with a response protocol of OIDC then the application will receive a response which can indeed be an authorization code depending on the response type.

However, as you also hinted to, the normal flow in OIDC would be for the application to start the transaction as that allows the client application to take additional security measures like for example using the state to mitigate against CSRF. My personal recommendation if at all possible would be to try to not make use of a flow going from SAML IdP-Initiated to OIDC.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.