JBoss Community Archive (Read Only)

PicketLink

Initiated SSO

Introduction

In this page we'll cover some basics about how the SAML v2.0 SP-Initiated SSO flow works. Please, keep in mind that this SSO mode always starts at the SP side, which will send a SAML authentication request to the IdP.

    images/author/download/attachments/78905739/sso.png

  

  

  

A Walk Through

  1. User requests access to a resource protected by the SP.

  2. The SP checks if the user is already authenticated.

  3. The user is not authenticated at the SP. So he will be redirected to the IdP for authentication.

  4. The user provides his credentials and submits them to the IdP.

  5. The IdP queries the configured identity stores (eg.: LDAP or a database) and check if the credentials are valid.

  6. If the credentials are valid, the IdP creates a session for the user and issues a SAML v2.0 assertion.

  7. The IdP redirects the user back to the SP sending the newly created SAML v2.0 Assertion with all security-related information about the user.

  8. The SP checks the assertion to make sure it is valid.

  9. If the assertion is valid the SP will now redirect the user to the original solicited and protected resource.

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:18:18 UTC, last content change 2014-03-24 16:58:48 UTC.