What is the purpose/usage of SAML 2.0 Auth Request?

Question

I've looked through similar questions and read several articles on SAML 2.0 already, but I still can't make sense of SAML Auth Request.

I've implemented several SAML-based SSO solutions where my company is an IdP (identity provider). We've always been sending users from our website to third parties via SAML Response:

1. User logs into our website.
2. User clicks a special link on our website.
3. We prepare SAML Response XML.
4. We e-sign it with our private key.
5. Send it back to our user's browser as a hidden field in HTML form, along with "RelayState" parameter.
6. We auto-POST this form to the SP (service provider) URL.

That's it.

SAML 2.0 articles (for example, Wikipedia overview article on SAML 2.0) suggests that we're missing a step: "SAML Auth Request". It seems that the SP needs to initiate the SSO by first sending a "SAML Auth Request" to IdP (us), then we're supposed to respond to it with SAML Response.

How does SP decide when to initial the SSO? SP doesn't even know we're going to send a user their way. User is currently logged into OUR website and it is up to a user when to click that link, that would "magically" authenticate them in SP website.

Thank you!

P. S. I understand SAML 2.0 is the "established industry standard", but the more I work with it - the more I feel like it is an overkill. Because of its complexity there are a ton of different incompatible implementations (from my experience). Each time we're doing SSO with the new partner - it as a pain. Big companies are making a ton of money selling "out of the box" SAML solutions, which no one knows how to configure and troubleshoot properly, so people are almost forced to pay for expensive contractors to set it all up. Companies hope to be able to hire a low wage employees to support those overcomplicated SAML solutions. When setting up SSO with third parties I often deal with those people who have no clue what it is, they're just trained to click buttons and read the cryptic error messages to me over the phone. This is all due to SAML being over-engineered. But hey - there's a bright side: I get paid real good, because I understand SAML well enough to at least make it work. :)

Answer 1

You are using what is called unsolicited response it is specified in the specification so you are not "missing a step". It specified under 4.1.5 in the SAML profile spec

The normal use case is that the user tries to log in to the SP and the SP redirects the user to IDP for authentication.

One implementation you could choose instead is that your portal simply redirects the user to the SP. IF the SP detects that the user dont have a session the SP starts normal SSO against the IDP