PingFederate Server

IdP-initiated SSO—POST

In this scenario, a user is logged on to the identity provider (IdP) and attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.

Diagram illustrating the IdP-initiated SSO POST process between the IdP, browser interface, and the SP.
IdP-initiated SSO—​POST

Processing steps

  1. A user logs on to the IdP.

    If a user is not yet logged on for some reason, they are challenged to do so at step 2.

  2. The user requests access to a protected SP resource.

  3. After the user requests access, the IdP might also retrieve attributes from the user datastore..

  4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

    SAML specifications require digitally-signed POST responses.

  5. (Not shown) If the signature and the assertion, or the JSON Web Token, are valid, the SP establishes a session for the user and redirects the browser to the target resource.