||A browser-based client attempts to
access a protected resource on a service provider.
||The browser does not have an existing session with the
||Upon receipt of the request from the
browser, the service provider generates a SAML authentication request.
||The SAML request includes information indicating which
service provider generated the request. Later, this allows the IdP to know
which particular service provider initiated the request.
The IdP must have the Assertion Consumer Service (ACS)
URL to complete SAML authentication successfully. The ACS URL tells the IdP to
post the final SAML response to a particular URL.
|| The authentication request can be sent to the IdP, and
the Assertion sent to the service provider through either Redirect or POST
binding. For example,
Cisco Unified Communications Manager
supports POST binding in either direction.
||The service provider redirects the request
to the browser.
||The IdP URL is preconfigured on the service provider as
part of SAML metadata exchange.
||The browser follows the redirect and issues
an HTTPS GET request to the IdP. The SAML request is maintained as a query
parameter in the GET request.
||The IdP checks for a valid session with the
||In the absence of any existing session with
the browser, the IdP generates a login request to the browser and authenticates
the browser using whatever authentication mechanism is configured and enforced
by the IdP.
||The authentication mechanism is determined by the
security and authentication requirements of the customer. This could be
form-based authentication using username and password, Kerberos, PKI, etc. This
example assumes form-based authentication.
||The user enters the required credentials in
the login form and posts them back to the IdP.
||The authentication challenge for logging is between the
browser and the IdP. The service provider is not involved in user
||The IdP in turn submits the credentials to
the LDAP server.
||The LDAP server checks the directory for
credentials and sends the validation status back to the IdP.
||The IdP validates the credentials and
generates a SAML response which includes a SAML Assertion.
||The Assertion is digitally signed by the IdP and the user is allowed access to the service provider protected resources. The IdP
also sets its cookie here.
||The IdP redirects the SAML response to the
||The browser follows the hidden form POST
instruction and posts the Assertion to the ACS URL on the service provider.
||The service provider extracts the Assertion
and validates the digital signature.
||The service provider uses this digital signature to
establish the circle of trust with the IdP.
||The service provider then grants access to
the protected resource and provides the resource content by replying 200 OK to
||The service provider sets its cookie here. If there is a
subsequent request by the browser for an additional resource, the browser
includes the service provider cookie in the request. The service provider
checks whether a session already exists with the browser. If a session exists,
the web browser returns with the resource content.