I am setting up basic SAML support for a web application. Each user this application (identified by email address) can belong to multiple organisations/companies of the application. I would like to let individual organisations to enable SSO via SAML for users that are members of their organisation.
The communication between me (the SP) and the Idp (e.g. Okta, OneLogin) works just fine from the technical side. But I haven't figured out how to ensure that a user requesting access to my application via SAML is actually the user who she pretends to be, given that she might have signed up for a user profile before SAML was enabled for the organisation.
Is there some sort of "linking" that needs to take place in order to "connect" an existing user profile with a specific Idp?
An IdP contains a set of user identities. When your SP and IdP exchange its metadata, you set a circle of trust, so all users that the IdP contains will be trusted by the SP.
Some IdPs has the ability to restrict what users access what SP, or the ammount of information of a user will be send to the SP, but at the end, you as SP may trust all the info that the IdP provides.