SAML IdP-Initiated SSO — AG Nova Federation Tester

1

How IdP-Initiated SSO Works

Unlike SP-Initiated, there is no AuthnRequest. The flow is:

User is already authenticated at the IdP (e.g. their Okta portal).
User clicks an app tile in the IdP portal.
The IdP builds a SAMLResponse assertion and HTTP-POSTs it to the SP's ACS URL.
The SP (this app's /saml/acs endpoint) decodes and validates the response.

2

Register This App with Your IdP

Configure the following values in your IdP's SAML application settings:

ACS URL (Assertion Consumer Service)

SP Entity ID

View SP Metadata XML ↗

3

What the IdP Will POST to the ACS

The IdP sends an HTTP POST with a SAMLResponse form field containing a base64-encoded, gzip-compressed SAML XML assertion.

POSTIdP → ACS URL

4

ACS Decodes and Displays the Assertion

When the IdP POSTs to /saml/acs, the backend decodes the base64 SAMLResponse, parses the XML, extracts the NameID and attributes, and renders a result page showing:

Authentication Status (Success / Failure)
NameID — the subject identifier (usually an email or user ID)
SAML Attributes — claims sent by the IdP
Raw SAMLResponse — base64-encoded (what the IdP sent)
Decoded SAMLResponse XML — pretty-printed