Chef Ideas

To be clear what this idea is trying to achieve (for those that don't know the terms)

SP = Service provider (in our case A2)

IdP = Identity provider (Okta, OneLogin, Ping, AzureAD, O365 etc)

SP initiated logon

• User visits the A2 logon screen

• A2 sees the user is not authenticated and redirects the browser to the IdP

• IdP authenticates the user and issues a signed security assertion containing userid, groups, email address etc

• IdP redirects the browser back to the A2 ACS (Assertion Consumer Service)

• The A2 ACS uses the assertion to apply the correct access rights for the user

IdP initiated logon

• User signs on directly to the IdP

• User selects A2 from the applications menu

• IdP issues a signed security assertion containing userid, groups, email address etc

• IdP redirects the browser back to the A2 ACS (Assertion Consumer Service)

• The A2 ACS uses the assertion to apply the correct access rights for the user

Currently for an IdP initiated logon, the process fails at the last step because A2 isn't expecting an incoming assertion for our user. To fix this I think we just need to create a session on the fly and then process the assertion in the normal way.

Sure, I am parking it for future consideration.

It doesn't matter which IdP I am using as the underlying issue exists for all IdP's AFAIK.

Hey Austin,

May I know which IdP are you trying with? List of currently supported IdPs is at https://docs.chef.io/automate/saml/#supported-identity-management-systems.