Issue
We're using SAML 2.0 for SSO, and want to improve the UX by allowing a user to enter their email only once (to identify they need SSO). Is it possible to pre-fill the SAML SSO email field when authenticating with Google's SAML IDP?
I know that the AuthnRequest has an optional Subject field that can pass the principal information to the IdP, but so far I haven't managed to have Google's SSO form pre-populate. Either it's not supported from the IdP, or I'm sending the wrong configuration.
The existing configuration I've been trying to use looks like this:
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="_cd...." Version="2.0" IssueInstant="2019-01-01T00:00:00Z" Destination="https://accounts.google.com/o/saml2/idp?idpid=...">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">(issuer_name)</saml:Issuer>
<Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">me@example.com</NameID>
</Subject>
</AuthnRequest>
I would expect the Google SSO form to autopopulate me@example.com, but nothing happens.
Solution
The Subject element is optional in an authentication request and even when included, it's ignored by most IdPs. Since authentication request can be sent to the identity provider by an anonymous party, performing a UX action like you're thinking about would certainly lead to an easy phishing vector.
Answered By - identigral Answer Checked By - David Marino (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.