IdP-initiated SSO—POST
In this scenario, a user is logged on to the identity provider (IdP) and attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.
Processing steps
-
A user logs on to the IdP.
If a user is not yet logged on for some reason, he or she is challenged to do so at step 2.
-
The user requests access to a protected SP resource.
-
After the user requests access, the IdP might also retrieve attributes from the user datastore..
-
The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
SAML specifications require digitally-signed POST responses.
-
(Not shown) If the signature and the assertion, or the JSON Web Token, are valid, the SP establishes a session for the user and redirects the browser to the target resource.