[Sign In] Redirect based SSO - User already signed in RP1, need to SSO in RP2 - both RP1 and RP2 trust IDP1

[timcappalli]

Web application RP1 and RP2 offer sign in/sign up functionality for users of identity provider IDP1, using any of the following:

• any OpenID Connect flow
• any SAML flow
• any WS-Fed flow
• any proprietary cookie based auth scheme

The user is already signing in RP1. The user navigates to RP2, and expects to obtain an authenticated session without any interactive prompt.

User agent access to user info depends on the mechanics of the protocol of choice.

[timcappalli]

Old comment from @gffletch:

Do we need a use case document for each protocol? Also, seemless/silent SSO requires some mechanism for shared state. Do we need a use case for each of those mechanisms?

I'm working on a scenario for redirects where all properties are on the eTLD+1 and "logged-in flag" can be shared via a cookie on the eTLD+1.

This could also be accomplished by RP2 doing a redirect with prompt=none to IDP1 whenever the user arrives.

Additionally, I think this can be done with embedded iframes where the iframe is sourced from IDP1. I'm less familiar with this method.

Other options?

[LGraber]

We should create a separate issue to track the case where RP2 is embedded in RP1. I will open