In this scenario, the SP sends a SAML artifact to the IdP via an HTTP redirect. The IdP uses the artifact to obtain an authentication request from the SP's SAML artifact resolution service. The IdP returns a SAML response to the SP via HTTP POST.
- A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.
The SP generates an authentication request and creates an artifact. The SP
sends an HTTP redirect containing the artifact through the user's browser to the
IdP's SSO service.
The artifact contains the source ID of the SP's artifact resolution service and a reference to the authentication.
The SSO service extracts a source ID from the SAML artifact and sends a SAML
artifact-resolve message over SOAP containing the
artifact to the SP's Artifact Resolution Service
The SP and IdP's source IDs and remote artifact resolution services are mapped according to the federation agreement made prior to this action.
- The SP's ARS returns a SAML message containing the previously generated authentication request.
- If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (for example, ID and password) and the user logs on.
- Additional information about the user may be retrieved from the user datastore for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP—see User attributes.)
The IdP's SSO service returns an HTML form to the browser with a SAML response
containing the authentication assertion and any additional attributes. The
browser automatically posts the HTML form back to the SP.
SAML specifications require that POST responses be digitally signed.
- (Not shown) If the signature and the assertion (or the JSON Web Token) are valid, the SP establishes a session for the user and redirects the browser to the target resource.