[Sign In] IDP-initiated sign in #14
Description
The details of the flow vary depending on protocol (OIDC has an extra full redirect round trip while SAML is effectively just one x-site navigation). But typically a user with a currently authenticated session (which likely maybe was established via SSO itself) is presented with a portal-like page with links to applications they can access. Navigating to one of those applications kicks off the IDP initiated SSO flow that ultimately delivers a SSO token to the RP application and the user is, from their perspective anyway, signed in seamlessly. I don’t think IDP-init uses browser features any more or differently than the SP-init variants (1st party samesite none/lax cookies and various things that look like link decoration). But it doesn’t fit the WebID model (last I’ve seen of it anyway) where the UX assumes things start on an RP site.
Brian Campbell