I'm currently exploring the implementation of an Identity Provider (IDP) initiated flow using OpenID Connect (OIDC), but I'm struggling to find comprehensive documentation or recent resources on this topic.
I've reviewed the information provided in a previous Stack Overflow post (OpendID Connect and IDP Initiated SSO), but it appears to be outdated.
My current approach is as follows:
- The Service Provider (SP) will register its information, including a redirect URI, while the IDP will share a client ID and secret.
- When a user logs in to the IDP, they can select the application and will be redirected to the SP page.
- The IDP will issue a signed ID token and access token using the previously shared client secret.
- The SP will verify the token signature using its client secret, followed by validation of the client ID and other token details.
- Upon successful verification, the user will be logged in to the SP.
I'm seeking clarification on whether this flow is secure, if any modifications are necessary, or if there are alternative standard flows available for IDP initiated SSO with OIDC.
Any insights or guidance on this matter would be greatly appreciated. Thanks in advance for your help!