2

Part of our site, say https://www.example.com/files, is protected by mod_auth_mellon, which provides an SP that authenticates with our IdP. This works fine.

The rest of the site is Drupal with the samplesamlphp_auth module. That module creates another SP that authenticates with the same IdP. This also works fine.

The problem is that the login isn't shared between these two SPs. You have to log in separately to each one, even though the user is authenticating to the same IdP. Obviously that's not desirable. When I log into one, I want the other to detect and use the SAML session data to log me in too.

Is that a reasonable thing to expect? I was thinking that two different SPs on the same host would share session information automatically, but now I think that's not how it works. Each SP stores session information in cookies in the user agent. The cookies have different names, but more importantly they refer to sessions from the different SPs. So they can't be shared.

This thread has some discussion of the problem. Based on that, what I think is needed is for the IdP to recognize the state information it saved in the user agent, and not ask the user to log in again. Is that right? How can I frame this problem for the IdP admins?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47

1 Answers1

2

As SSO is usually part of a SAML setup, I'd suggest checking the IdP. It's the IdP's job to check whether the client has already signed in and report the same session to another SP.

It might help to know what IdP and what SAML profile you are dealing with, my experience is kind of limited to the WebSSO profile and Shibboleth as IdP and SP.

Ok, so I'll try to elaborate a little on the WebSSO profile:

  1. User visits SP
  2. User is directed to the SP's initiator page (e.g. /Shibboleth.sso/Login)
  3. User uses Discovery Service (DS) to pick the desired IdP or was directed to the Login initiator page with a fitting parameter
  4. User is redirected to the IdP for authentication with the SAML Authentication Request
  5. The IdP uses cookies to check if the user has a session if using the Username/Password flow.
  6. The IdP redirects the user back to the SP with a SAML response
  7. The SP verifies the SAML response and initiates its own session handling.

Find the Shibboleth docs elaborating on this here.

fuero
  • 9,413
  • 1
  • 35
  • 40