In this scenario, a user is logged on to the identity provider (IdP) and attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.
- A user logs on to the IdP.
If a user is not yet logged on for some reason, he or she is challenged to do so at step 2.
- The user requests access to a protected SP resource.
- After the user requests access, the IdP might also retrieve attributes from the user datastore..
- The IdP's SSO service returns an HTML form to the browser with a SAML
response containing the authentication assertion and any additional attributes. The browser
automatically posts the HTML form back to the SP.Note:
SAML specifications require digitally-signed POST responses.
- (Not shown) If the signature and the assertion, or the JSON Web Token, are valid, the SP establishes a session for the user and redirects the browser to the target resource.