The topics covered here, show how the SAML SP implementation can take advantage of the flow architecture of Airlock IAM.
Optimizing IDP roundtrips
The SAML 2.0 User Identifying Step may be configured with skip conditions to avoid unnecessary roundtrips to the remote IDP.
- SP-initiated SSO on an existing Session
- Create a Logical AND
- Create as Has Tag plugin as the first parameter in the Logical AND and configure USER_IDENTIFIED as the tag required
- Create a Logical NOT as the second parameter in the Logical AND and configure IdP-Initiated SSO Flow On SP plugin in the Condition parameter.
- This will skip the SAML 2.0 User Identifying Step, if the user has already been identified and the authentication was not started on the IDP.
Combined local login and SAML SSO
It is possible to allow the user to choose whether to authenticate through a local login or an IDP-initiated SSO.
- Configuration using skip conditions
- Create a SAML 2.0 User Identifying Step
- As skip condition create a Logical NOT configure IdP-Initiated SSO Flow On SP plugin in the Condition parameter.
- Create a Username Password Authentication step.
- As a skip condition configure an IdP-Initiated SSO Flow On SP plugin.
More complex use cases can be implemented using the same conditions in selections and other flow mechanisms.