Question

A security engineer is deploying an IdP to broker authentication between applications. These applications all utilize SAML 2.0 for authentication. Users log into the IdP with their credentials and are given a list of applications they may access. One of the application's authentications is not functional when a user initiates an authentication attempt from the IdP. The engineer modifies the configuration so users browse to the application first, which corrects the issue.

Which of the following BEST describes the root cause?

A. The application only supports SP-initiated authentication.
B. The IdP only supports SAML 1.0
C. There is an SSL certificate mismatch between the IdP and the SaaS application.
D. The user is not provisioned correctly on the IdP.

Answer 1

The root cause of the authentication issue is that the application only supports SP-initiated authentication, meaning the user must start the authentication process from the application side.

Step-by-step explanation:

The issue described in the question indicates that the application in question only supports SP-initiated authentication. This means the authentication process must be started from the Service Provider's (SP's) side, not the Identity Provider (IdP). Since modifying the configuration to have users browse to the application first corrected the issue, it confirms that the application expects the authentication request to originate from its side, which is characteristic of an SP-initiated SAML authentication flow.

The root cause of the issue is that the application only supports SP-initiated authentication. SAML 2.0 allows for both IdP-initiated and SP-initiated authentication. In this case, the application is expecting the authentication to be initiated from the Service Provider (SP) rather than the Identity Provider (IdP). When the engineer modified the configuration so that users browse to the application first, the authentication was successful because the application was able to handle the SP-initiated authentication.