Pairing service provider (SP)- and identity provider (IdP)-initiated protocols with transport-binding specifications results in eight practical SSO scenarios.
Enabling SP-initiated transactions through SAML 2.0 increases the number of possible SSO profile variations. The following profile variations each illustrate a specific scenario:
- SP-initiated SSO—POST-POST A user attempts to access a protected resource directly on an SP website without logging on. The user does not have an account on the SP site but does have a third-party IdP-federated account. The SP sends an authentication request to the IdP. The user's browser sends both the request and the returned SAML assertion through HTTP POST.
- SP-initiated SSO—Redirect-POST The SP sends an HTTP redirect message to the IdP containing an authentication request. The IdP returns a SAML response with an assertion to the SP via HTTP POST
- SP-initiated SSO—Artifact-POST The SP sends a SAML artifact to the IdP through an HTTP redirect. The IdP uses the artifact to obtain an authentication request from the SP's SAML artifact resolution service. The IdP returns a SAML response to the SP via HTTP POST.
- SP-initiated SSO—POST-Artifact the SP sends an authentication request to the IdP through HTTP POST. The returned SAML assertion is redirected through the user's browser. The response contains a SAML artifact.
- SP-initiated SSO—Redirect-Artifact The SP sends an HTTP redirect message to the IdP containing a request for authentication. The IdP returns an artifact through HTTP redirect. The SP uses the artifact to obtain the SAML response.
- SP-initiated SSO—Artifact-Artifact The SP sends a SAML artifact to the IdP through an HTTP redirect. The IdP uses the artifact to obtain an authentication request from the SP, and then the IdP sends another artifact to the SP, which the SP uses to obtain the SAML response.
- IdP-initiated SSO—POST A user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP through HTTP POST.
- IdP-initiated SSO—Artifact The IdP sends a SAML artifact to the SP through an HTTP redirect. The SP uses the artifact to obtain the associated SAML response from the IdP.