Securely Implementing IdP-initiated SAML2 Login

Security Assertion Markup Language 2.0, or more commonly known as SAML in the industry, is one of the most used protocols for single-sign-on on the modern web. It allows an application like Teleport to communicate with an upstream identity provider like Okta or Google Workspace to securely get trusted information about users when they log in, removing the need for sign-ups, log-ins and tying identities to people inside the application.

Today, SAML and other forms of SSO negotiation are the de-facto standard for handling authentication within organizations. Currently, SAML maintains a lead in flexibility and feature-support for enterprise usage. Notably, SAML supports a one-click login procedure known as IdP-initiated login that allows users to authenticate to a variety of apps in one place with a single click; in this article, we explore implementing this method of authentication as a relying party and discuss its effects on application security.

SAML is quite heavy on terminology to describe the respective parties in a flow and to explain various concepts. The rest of the article will use these terms:

Leave a Comment