In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.
A user has logged on to the IdP.
(If a user has not yet logged on for some reason, he or she is challenged to do so at step 2).
- The user clicks a link or otherwise requests access to a protected SP resource.
- Optionally, the IdP retrieves attributes from the user datastore.
The IdP's SSO service returns an HTML form to the browser with a SAML response
containing the authentication assertion and any additional attributes. The
browser automatically posts the HTML form back to the SP.
SAML specifications require that POST responses be digitally signed.
- (Not shown) If the signature and the assertion (or the JSON Web Token) are valid, the SP establishes a session for the user and redirects the browser to the target resource.