to make long story short. Customer has both SP (referred as SP1) and an IDP. We are integrating our application (referred as SP2) to serve a protected resource. The resource will be available after the principal identity has been verified at IDP - typical SSO service. The following scenario would like this:
1. Pricipal enters SP1.
2. No security context has been created for the user yet, so he logs to IDP.
3. After a sucessful login, the user tries to access a resource on SP2 from SP1.
4. Request comes to SP2, which needs to verify principal identity.
5. SP2 tries to log in to IDP (HTTP Redirect Binding).
6. IDP verifies there is a security context and does not offer a login form but strikes back with assertion.
7. Resource is served.
Question 1 - For testing I am using shibboleth IDP and oiosaml java libraries for SP2. How does IDP (step 6) verify that use is logged in? Is it checked via presence of some cookie? Is it vendor specific check?
Question 2 - SP2 IP is not external so we would need to create a tunnel between SP1 and SP2 and between SP1 and SP2. Is there any standard scenario to verify principal authority without hitting IDP (step 5)?
As far as I know it is not specified how the IDP keeps track of security contexts. But I have never seen anything else than cookies.
I'm not sure you need the tunnel. There will not be any direct communication between SP1 and SP2 only between the SPs and IDP. And provided you use POST binding to deliver the SAML assertion there will not be a direct communication there either. In this case all communication would go over the browser.
This means that the browser must be able to connect to all of the nodes but the nodes does not need connectivity to eachother. Provided you use POST binding and not Artifact Binding.