We have an application where most users will be logged into SSO and the few that aren't should be presented with a custom login screen to choose a method. The flow we would like:
The problem is we cannot find a way to determine if a user is logged into SSO without redirecting them to SSO if they are not. Is there a way to contact the IDP and determine if a user is logged in without redirecting to the SSO login page?
We're using simplesamlphp, isAuthenticated appears to only check the session so we need to use requireAuth instead but that redirects to the SSO login instead of our custom login page. The SAML protocol appears to require a redirect with no option to just check the log in status.
Unfortunately the SAML specification doesn't include a way to check the user's status with the IdP.
You could try setting the IsPassive flag in the SAML authn request to true. In theory, the IdP should return a successful SAML response if the user has already been authenticated and an error SAML response if they haven't. However, it's also possible the IdP will simply ignore this flag. It would still involve a redirect to the IdP but the IdP shouldn't prompt for the user to login.