SSO - Industry practice with SP side SAML response validation

Question

we are implementing SSO solution with our customers.Due to its complex nature and time sensitivity, we employed a third party security partner firm that can act as SP and redirect the request after authenticating the user. The third party firm is now telling me they are going to send SAML response to our application to further validate.

My question is , Given that SAML response is already validated at our third party provider(who is acting as SP on our behalf), why we(application owner) again have to do SAML assertion?

I was expecting it is going to be a redirect from the third party with some token to validate so that our application can skip the login validation part. but I wanted to talk to them with research facts and industry practice. Can anyone help? please let me know if i am missing something here.

Answer 1

The usual practice when using such intermediary SP for SSO to (typically a legacy) application is to:

• process and validate the SAML Authentication Response and the Assertion at the SP
• SP then encodes a cookie on a common domain or a token provided as a request parameter/HTTP header
• cookie/token is typically constructed using a symmetric cryptography with a shared secret and e.g. HMAC
• SP redirects user to the application which verifies the provided cookie or token and grants access

I don't think you're missing anything. Perhaps your provider just confused things and gave you wrong information. It makes sense to include the SAML token itself in the response from SP to your application (e.g. for audit purposes), but it makes no sense to expect your application to understand or validate the SAML message once it's been done already by the intermediary SP.