I have a scenario where the client has an SP that authenticates against an IdP. This is working today. They want to add a button that, when clicked, will open a new tab and send the user to a 3rd party SP.
Is it possible to create a request that goes to the IdP for authentication and has the IdP forward the user to the 3rd party SP, authenticated?
So: SP1 -> IdP -> SP2 (with response)
The client is motivated to maintain a single IdP for all services, and SP1 and SP2 are not necessarily both owned by the same client.
So, this would essentially follow a "hub-and-spoke" kind of architecture where the spokes are not owned by the same org. (So, Federated Identity Management.)
Note/Edit: Originally, I was thinking that this was what the ?RelayState parameter was for, but as I understand it, the IdP is required to simply send back whatever is in that parameter to the originating SP - not use it to forward the response to a secondary SP.
So, perhaps, I could send an ACS url to the SP2's domain?