SP Initiated SSO

The SP-Initiated SAML Login with LoginRadius offers secure authentication for third-party applications. It streamlines Single Sign-On (SSO), allowing users to access multiple applications with just one set of credentials managed by LoginRadius. The process is fortified with strong security measures, such as signed requests and responses, ensuring safe and seamless access to protected resources.

• User-Initiated Authentication – The login process starts at the Service Provider (SP), providing a seamless and controlled authentication experience.
• Secure Redirection to LoginRadius (IdP) – The SP securely redirects users to LoginRadius (IDP) for authentication, ensuring that the SP never handles credentials.
• SAML Assertion Expiration (NotOnOrAfter) – Assertion remains valid only for a secure timeframe, preventing reuse and enhancing security.
• Single Logout (SLO) Support – Users can log out from all connected applications simultaneously, ensuring proper session termination across platforms.
• Digitally Signed SAML Assertions – LoginRadius generates SAML assertions that are cryptographically signed to guarantee the authenticity and integrity of the authentication response.

This guide will help you set up SP-initiated SAML SSO by configuring LoginRadius Admin Console and the third-party Service Provider.

• Configure a SAML App in the LoginRadius Admin Console
• Configure the Service Provider Application

Admin Console Configuration

Follow these steps to configure SP-Initiated SAML SSO in the LoginRadius Admin Console:

1. Log in to Admin Console.
2. Navigate to Integrations → SSO Integration.
3. Click Add SSO Integration to configure a new SAML App.
4. Select SAML and choose Service Provider Initiated Login from the Login Flow options.
5. Enter a unique name in the SAML App Name field.
6. Add the Service Provider Certificate to validate responses.

To learn more about how to generate the certificate, refer to LoginRadius SAML Certificate Guide

7. In the Attribute Section, Map Attributes by linking LoginRadius fields with the Service Provider fields:
   • Name → SP field name
   • Format → urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
   • Value → LoginRadius mapping field
   • Static Checkbox (Optional): Keeps the value fixed if selected
8. Select Name ID Format → persistent (default).
9. Set Login URL

   https://<LoginRadius Site Name>.hub.loginradius.com/auth.aspx
10. Set After Logout URL

    https://<LoginRadius Site Name>[.hub.loginradius.com/auth.aspx?action=logout
    Note: This URL must be an endpoint that accepts SAML authentication requests. It is used to redirect users after they log out of the application.
11. In the Service Provider Logout URL, enter the service provider logout URL (you will get the SLO URL from a third-party service provider). This Logout URL will be called in the Single Logout (SLO) SAML workflow.
12. Select Default Request Binding (HTTP-POST or HTTP-Redirect as per SP configuration).
13. Add Assertion Consumer Service (ACS) Location from the SP configuration.
14. Select ACS Binding Type
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
15. Enter Relay State Parameter → RelayState
16. Set SAML Assertion Expiration (1-70 minutes; default: 5 minutes).
17. Enter App Audiences → EntityID of your Service Provider.
18. Select SSO Method → HTTPPost. And save the configuration.

Service Provider Configuration

After setting up `LoginRadius as IdP, configure your third-party Service Provider (SP).

1. Set Identity Provider Login URL (SSO Endpoint):

   https://<LoginRadius Site Name>/service/saml/idp/login?appname=<SAMLAppName>  

2. Use the LoginRadius certificate in the Service Provider.

   • Download the metadata file from the Admin Console to obtain the certificate.

3. Set Issuer or EntityID:

   https://<LoginRadius Site Name>.hub.loginradius.com/

4. Select SSO Binding Type: HTTP-POST.

5. Set SAML Relay State: redirect (SP-specific).

6. Configure Logout URL:

   https://<LoginRadius Site Name>/service/saml/idp/logout?appname=<SAMLAppName>  

7. If SP supports Single Logout (SLO), use the same Logout URL.

👉 For more details on configuration options and terms used during the setup, refer to SAML Configuration Key Points.

In this workflow, the Service Provider (SP) initiates authentication by sending a signed SAML request to the Identity Provider (LoginRadius). After successful authentication, the IdP responds with a signed SAML assertion, granting the user access to the requested resources.

Refer to the following workflow to understand the SP-Initiated SAML process between LoginRadius(IdP) and the Service Provider.

1. User Initiates Login :

• The user starts authentication by clicking the login link on the Service Provider login page.

2. Service Provider Creates SAML Request :

• The Service Provider generates a SAML authentication request. It signs the request using its private key and provides its public key certificate to the LoginRadius(IdP) for verification if required. The SP then sends the SAML request to the IdP.

3. Identity Provider Validates Request:

• The LoginRadius(IdP) receives the SAML request and, if signed, verifies the signature to ensure its authenticity before proceeding with authentication.

4. Redirect to the Login Page

• The user is redirected to the LoginRadius Hosted Page for authentication.

5. User Authenticates with IdP

• The user provides their credentials and is successfully authenticated by LoginRadius.

6. IdP Sends SAML Response

• The LoginRadius(IdP) signs the SAML response with its private key and sends it to the Service Provider’s Assertion Consumer Service (ACS) URL.

7. Service Provider Validates Response

• The Service Provider validates the SAML response using the public certificate provided by the IdP.

8. User Accesses Protected Resources

• If the response is valid, the user is logged in and gains access to the protected resources on the Service Provider’s platform.

Follow these steps once the SP-Initiated SAML SSO configuration is complete to ensure a secure and seamless authentication experience.

• Check SP Redirection – Ensure that clicking the login link on the SP correctly redirects users to the LoginRadius Identity Provider (IdP) for authentication.
• Validate SAML Request – Confirm that the SP sends a properly signed SAML authentication request to LoginRadius.
• Authenticate and Process Response – Log in using valid user credentials and verify that LoginRadius successfully authenticates the user.
• Verify SP Handling of SAML Assertion – Ensure that the SP correctly reads and processes the SAML assertion, granting access without errors.

• Configure Logout URL – Ensure the SP Logout URL is properly set in the LoginRadius Admin Console.
• SP-Initiated Logout – Log out of the SP and confirm that the user session has been terminated at LoginRadius.
• Check Session Expiry Handling – Test automatic session timeouts and expiration behavior to ensure users are securely logged out after inactivity.

These validation steps ensure the proper and secure implementation of SP-Initiated SAML SSO integration.

👉 Check out the Security Best Practices for a detailed breakdown of essential security measures.

• SAML Overview
• IDP Initiated
• Troubleshooting Guide
• Federated SSO