Page created: 12 Sep 2019 |
Page updated: 18 Mar 2020
In this scenario, the SP sends a SAML to the IdP via an HTTP redirect. The IdP uses the artifact to obtain an authentication request from the SP. Then the IdP sends another artifact to the SP, which the SP uses to obtain the SAML response.
- A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.
The ACS generates an authentication request and creates an artifact. It sends
an HTTP redirect containing the artifact through the user's browser to the IdP's
he artifact contains the source ID of the SP's artifact resolution service and a reference to the authentication request.
The SSO service extracts the source ID from the SAML artifact and sends a SAML
artifact resolve message containing the artifact to the SP's artifact resolution
The SP and IdP's source IDs and remote artifact resolution services are mapped according to the federation agreement prior to this action.
- The SP's artifact resolution service sends back a SAML artifact response message containing the previously generated authentication request.
- If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (for example, ID and password) and the user logs on.
- Additional information about the user may be retrieved from the user datastore for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP—see User attributes.)
- The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
- The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server's Artifact Resolution Service (ARS).
- The ARS sends a SAML artifact response message containing the previously generated assertion.
- (Not shown) If a valid assertion is received, the SP establishes a session and redirects the browser to the target resource.