In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.

IdP-initiated SSO: POST

Processing steps:

  1. A user has logged on to the IdP.
    (If a user has not yet logged on for some reason, he or she is challenged to do so at step 2).
  2. The user clicks a link or otherwise requests access to a protected SP resource.
  3. Optionally, the IdP retrieves attributes from the user datastore.
  4. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

    SAML specifications require that POST responses be digitally signed.

  5. (Not shown) If the signature and the assertion (or the JSON Web Token) are valid, the SP establishes a session for the user and redirects the browser to the target resource.