In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.

SSO browser/POST profile

Processing steps:

  1. A user has logged on to the IdP.
    (If a user has not yet logged on for some reason, he or she is challenged to do so at step 2).
  2. The user clicks a link or otherwise requests access to a protected SP resource.
  3. Optionally, the IdP retrieves attributes from the user data source.
  4. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
    Note:

    SAML specifications require that POST responses be digitally signed.

  5. (Not shown) If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.