IdP-initiated SSO--POST
Diagram illustrating the IdP-initiated SSO POST process between the IdP, browser interface, and the SP.

Processing steps

  1. A user logs on to the IdP.

    If a user is not yet logged on for some reason, he or she is challenged to do so at step 2.

  2. The user requests access to a protected SP resource.
  3. After the user requests access, the IdP might also retrieve attributes from the user datastore..
  4. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
    Note:

    SAML specifications require digitally-signed POST responses.

  5. (Not shown) If the signature and the assertion, or the JSON Web Token, are valid, the SP establishes a session for the user and redirects the browser to the target resource.