In this scenario, a user logged on to the identity provider (IdP) attempts to access a resource on a remote service provider (SP) server. HTTP POST transports the SAML assertion to the SP.
- A user logs on to the IdP.
If a user is not logged on for some reason, the IdP challenges them to do so at step 2.
- The user clicks a link or otherwise requests access to a protected SP resource.
- Optionally, the IdP retrieves attributes from the user data source.
- The IdP's SSO service returns an HTML form to the browser with a SAML
response containing the authentication assertion and any additional attributes. The browser
automatically posts the HTML form back to the SP.Note:
SAML specifications require digitally-signed POST responses.
- (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.