SSO—Browser-POST profile
Diagram illustrating the SSO browser-POST process between the browser interface, the IdP, and the SP.

Processing steps

  1. A user logs on to the IdP.

    If a user is not logged on for some reason, the IdP challenges them to do so at step 2.

  2. The user clicks a link or otherwise requests access to a protected SP resource.
  3. Optionally, the IdP retrieves attributes from the user data source.
  4. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

    SAML specifications require digitally-signed POST responses.

  5. (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.