PingFederate Server

SSO—Browser-POST

In this scenario, a user logged on to the identity provider (IdP) attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.

Diagram illustrating the SSO browser-POST process between the browser interface, the IdP, and the SP.
SSO—Browser-POST profile

Processing steps

  1. A user logs on to the IdP.

    If a user is not logged on for some reason, the IdP challenges them to do so at step 2.

  2. The user clicks a link or otherwise requests access to a protected SP resource.

  3. Optionally, the IdP retrieves attributes from the user data source.

  4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

    SAML specifications require digitally-signed POST responses.

  5. (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.