Using SAML in Portal to Authenticate with 3d party website

Question

We are running a website where users need to be authenticated from the SAP Enterprise Portal.

Scenario: User logs in into SAP portal via SAML Authentication. This user can view a link in the Portal he can click the link and will be transferred to a website on another domain. This domain will receive the a "ticket" and the user will be able to login.

Information from a friend: If you have a setup that uses SAML, there are mechanisms to transfer that session between domains that basically rely on passing a ticket through the URL to the client from the authentication server, and that ticket is then passed to the site you want to authenticate against, which can use that to establish the identity of the user with the authentication server and establish the session.

Question: Is this possible in SAP? If so, can anyone provide me some documentation for this?

Answer 1

The normal scenarion for SSO between domain in SAML is based on relayance on the same IDP. This is a typical flow for a SSO with two domains.

Sign-on on domain1

1. User accesses domain1
2. User is forwarded to IDP for authentication.
3. User authenticates and a session is created at the IDP
4. User is redirected back to domain1 and gains access

Sign-on on domain2

1. User accesses domain2
2. User is forwarded to IDP for authentication.
3. The IDP already as a session for the user and is considered as authenticated
4. User is redirected back to domain2 and gains access

This way the uer does not need to authenticate the second time.