SAML-Based SSO: Source IP for IdP and SP Initiated Flows
SAML-Based SSO: Source IP for IdP and SP Initiated Flows
SP-Initiated SSO
Flow Summary:
The user starts at the Service Provider (SP), which redirects them to the Identity Provider (IdP) for authentication.
- Source IP at IdP: User’s browser IP address (e.g., home or corporate network).
- Source IP at SP: After authentication, user is redirected back to the SP — the source is still the user’s IP.
Key Point: Both IdP and SP see the user’s IP address because the browser performs the redirects.
IdP-Initiated SSO
Flow Summary:
The user starts at the Identity Provider (IdP). After authentication, the IdP redirects the user to the Service Provider (SP) with a SAML response.
- Source IP at IdP: User’s IP address (browser-initiated login).
- Source IP at SP: The user posts the SAML assertion to the SP via HTTP POST — the source IP is still the user’s IP.
Summary Table
| Flow Type | Source IP at IdP | Source IP at SP |
|---|---|---|
| SP-initiated SSO | User’s IP | User’s IP |
| IdP-initiated SSO | User’s IP | User’s IP |
Whitelisting IPs?
There is no need to whitelist the IdP from the SP – as those IP addresses do not come into play. Only the browser (client) IP is in play.
Additional Notes
- In both flows, the browser acts as the transport, so HTTP requests originate from the user’s IP.
- Behind proxies or VPNs, the observed IP may be a NATed address (e.g., from a corporate gateway or ZScaler).