The IBM Cloud team is excited to announce IDP-initiated login for IBM Cloud App ID. With IDP-initiated login, customers have the option to click a button on their IDP dashboard, which sends an assertion file to the service provider (App ID) and starts an authentication session.
This feature is convenient for IT teams that consolidate many applications that use the same SSO provider under one dashboard. When using IDP-initiated login, some built-in security mechanisms in the SAML protocol are ignored, so we do not get the same level of trust as with SP-initiated login. Sending an unsolicited assertion file opens the application to an injected assertion attack where the attacker can steal a SAML assertion file generated by the IDP and inject it into a service provider.
App ID is taking a different approach to IDP-initiated login, where the service provider does not validate the assertion file, but instead initiates a SP-initiated login that is triggered by the IDP-initiated one. Because the user already has a valid session with their IDP, they don’t have to login again and the browser redirects them back to their application with a valid access token.
Taking this approach allows customers to benefit from the convenience of an IDP-initiated login without exposing their applications to inherent risks.
To get started with utilizing App ID’s IDP-initiated login functionality, visit our documentation.