Many real-world stacks combine SAML Service Providers (older B2B tools) and OIDC Relying Parties (newer apps). Auth Fly treats both as first-class on the same IdP, sharing one session.
The shared cookie
On a successful Hanko login, the IdP sets a signed idp_session cookie on its own origin. The cookie is HttpOnly, Secure, and HMAC-signed. Both SAML and OIDC handlers read the same cookie.
SAML path
GET /ssoparses the AuthnRequest and looks up the SP byIssuerin the allowlist.- If the IdP session is valid, the user is sent to
/sso/completeimmediately. - The SAML Response is signed and posted to the SP's ACS — taken from config, never from the request.
OIDC path
GET /authorizevalidatesclient_idandredirect_uriby exact match against the allowlist.- If the IdP session is valid, an authorization code is issued immediately and the user is redirected back with
code. POST /tokenexchanges the one-shot code for an access token and an id_token signed with the IdP key (RS256, JWKS-discoverable).
Why one cookie
One signed cookie is easier to reason about, easier to revoke, and easier to audit than two parallel session systems. The login screen is rendered once; both protocols complete without a second prompt.
