I have a question regarding the IDP-initated SSO setup that doesn't seem to have been answered in any of the questions that've been posed before on the same topic. Apologies in advance if the answers have been provided and I have missed them!
We have a fairly straightforward setup - our application is a Java EE app that has an Angular.JS UI. We have been able to properly setup and configure Shibboleth's Service Provider (Version 2.5.5) and Identity Provider (version 3.1), along with Apache (version 2.4), and things are working quite nicely under the Service Provider initiated SSO flow.
The issue is that our clients want to use their own IDP and interact with us via a standard SAML2 Identity Provider initiated SSO. This is because our application is deployed within their corporate portal and they want to provide login-less access to our application. We have provided them with our Service Provider's metadata, and they have provided us their IDP metadata. Their metadata file contained no URLs (single sign on, single logout, etc.), which would appear logical, since our SP will not interact DIRECTLY with their IDP and vice-versa (unless this is a wrong assumption on my part). But, looking at the XSD for the SAML metadata files, I notice that at least one SingleSignOn URL is mandatory for a given IDPSSODescriptor element (all other URLs are optional).
My understanding of the IDP initiated SSO flow is that the user's authentication will occur completely without any interaction with the SP, and once that is done, a POST is issued to the SP's AssertionConsumerService URL, with a SAML2 Response as a form parameter. The SP in turn simply handles the POST request and verifies the message with the IDP's signature, and if all is well, creates a session before granting access to the requested resource.
My questions therefore are:
Is my understanding of IDP initiated SSO flow correct, or am I missing something?
If my understanding is correct, then is it true that the IDP and SP never DIRECTLY communicate with each other? If so, what would be the purpose of the SingleSignOnService URL in the IDP metadata, and what should it be?
I can convince my clients and my own IT guys to use Service Provider initiated SSO if we can do so without having to have users login twice, and am open to suggestions on how to accomplish that. But first, I really would like to get my head around IDP-initiated SSO and understand it completely.