I'm working on SAML 2.0 based SSO integration. I'm able to do the integration almost end-to-end except for 1 thing. The SP is sending the SAML authn request to the IDP and the IDP is responding back with the SAML authn response. The IDP here is CA Siteminder and the SP is Picketlink Over JBoss 5.1. However, how would the application itself (configured as SP) know that the user is already authenticated by the IDP. Would that happen automatically? How would I prevent the application from prompting the user again? I believe, I should be disabling all auth mechanisms I already have in my application? Is this true, or is there any other way?
The SP doesn't know if the user has an active IDP session or not. If there is no local SP session, then your application will issue the AuthnRequest to the IDP. If the user is already logged in with an active session at the IDP, then the IDP will generally generate a new SAML Response for your SP to consume without prompting the user to login again (since they have an active session). If the user presenting the AuthnRequest does NOT have an active session, then it is up to the IDP to properly authenticate the user and send a SAML Response back to the SP.
This flow assumes that you don't have a local login capability to your SP application and user's must come through the IDP. If you have local login, then it gets more complicated trying to figure out which users get redirect where and when for Authentication.
HTH Ian