10:36 a.m.
Hi all,
Our SP application connects to an identity federation via Satosa. We have
two authentication flows, one which starts the authentication process using
SAML and one which starts the authentication flow using OIDC. The entire
process works well when using OIDC only, however, a requirement is that we
can start the same process via SAML.
After authentication (via SAML) is completed, the SP application tries to
- Request a code
- Request an OIDC access token using the code
- Check the access token using the userinfo endpoint
The issue that we are facing in the flow which starts the authentication by
SAML, is that the user is presented with the WAYF page twice. The first
time during the SAML flow, and the second time when requesting an OIDC
code. I assumed that because the user had just authenticated themselves,
Satosa would be able to return a code without asking the user to
authenticate again.
My questions are:
- Have I made a mistake in assuming this is a logical process to use for
authentication and authorisation? Is using SAML and OIDC in a mixed way a
bad idea?
- Is it possible to receive a OIDC code or access token as a result of a
SAML authentication flow?
- If not, is it possible to receive a code or access token without asking
the user to authenticate once again? I would imagine setting Satosa to
'remember IdP' would forgo the second round of authentication when using
SAML. Are there other options of achieving this?
Thank you in advance.
Kind regards,
Jonathan Blok
--
Kind regards,
*Jonathan Blok*
Technical Project Officer / Software Developer
*T* +31 35 - 677 16 79 | *M* +31 6 - 4 669 14 58
*Availability:* Mon, Tue, Wed, Fri
<http://www.beeldengeluid.nl/>
*Netherlands Institute for Sound and Vision | Nederlands Instituut voor
Beeld en Geluid*
*Media Parkboulevard 1, 1217 WE Hilversum | Postbus 1060, 1200 BB
Hilversum | *
*beeldengeluid.nl* <http://www.beeldengeluid.nl/>
<http://files.beeldengeluid.nl/handtekening/index.html>