SSO—Browser-POST
In this scenario, a user logged on to the identity provider (IdP) attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.
Processing steps
-
A user logs on to the IdP.
If a user is not logged on for some reason, the IdP challenges them to do so at step 2.
-
The user clicks a link or otherwise requests access to a protected SP resource.
-
Optionally, the IdP retrieves attributes from the user data source.
. . The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
+
SAML specifications require digitally-signed POST responses. |
. . (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.