In service provider (SP)-initiated, destination-first transactions, the user connects to an SP site and attempts to access a protected resource in the SP domain. The user might have an account at the SP site, but according to the federation agreement, the identity provider (IdP) manages authentication. The SP sends an authentication request to the IdP.
- The user requests access to a protected SP resource. The request redirects to the federation server to handle authentication.
- The federation server sends a SAML request for authentication to the IdP's single sign-on (SSO) service, also called the Intersite Transfer Service.
- If the user is not already logged on to the IdP site or needs to re-authenticate, The IdP asks for credentials, such as ID and password, and the user logs on.
- The user data store can provide additional information about the user for inclusion in the SAML response. The federation agreement between the IdP and the SP predetermines these attributes. See User attributes.
- The IdP's Intersite Transfer Service returns an artifact representing the SAML response to the SP.
- The SP's artifact handling service sends a SOAP request with the artifact to the IdP's artifact resolver endpoint.
- The IdP resolves the artifact and returns the corresponding SAML response with the SSO assertion.
- (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.