In an SP-initiated (also known as destination-first) transaction the user is connected to an SP site and attempts to access a protected resource in the SP domain. The user might have an account at the SP site but according to federation agreement, authentication is managed by the IdP. The SP sends an authentication request to the IdP.
- The user requests access to a protected SP resource. The request is redirected to the federation server (for example, PingFederate) to handle authentication.
- The federation server sends a SAML request for authentication to the IdP's SSO service (also called the Intersite Transfer Service).
- If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (for example, ID and password) and the user logs on.
- Additional information about the user may be retrieved from the user datastore for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP—see User attributes.)
- The IdP's Intersite Transfer Service returns an artifact, representing the SAML response, to the SP.
- The SP's artifact handling service sends a SOAP request with the artifact to the IdP's artifact resolver endpoint.
- The IdP resolves the artifact and returns the corresponding SAML response with the SSO assertion.
- (Not shown) If the assertion is valid, the SP establishes a session for the user and redirects the browser to the target resource.