User:Biofuel/sandbox

SP redirect request; IdP POST response
This is one of the most common scenarios. The service provider sends a SAML Request to the IdP SSO Service using the HTTP-Redirect Binding. The identity provider returns the SAML Response to the SP Assertion Consumer Service using the HTTP-POST Binding.



The message flow begins with a request for a secured resource at the service provider.

1. Request the target resource at the SP

The principal (via an HTTP user agent) requests a target resource at the service provider:

https://sp.example.com/myresource

The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2–7.

The service provider may use any kind of mechanism to discover the identity provider that will be used, e.g., ask the user, use a preconfigured IdP, etc.

2. Redirect to IdP SSO Service

The service provider generates an appropriate SAMLRequest (and RelayState, if any), then redirects the browser to the IdP SSO Service using a standard HTTP 302 redirect.

The  token is an opaque reference to state information maintained at the service provider. The value of the  parameter is a deflated, base64-encoded and URL-encoded value of an   element:

The SAMLRequest may be signed using the SP signing key. Typically, however, this is not necessary.

3. Request the SSO Service at the IdP

The user agent issues a GET request to the SSO service at the identity provider:

where the values of the  and   parameters are the same as those provided in the redirect. The SSO Service at the identity provider processes the  element (by URL-decoding, base64-decoding and inflating the request, in that order) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user with any mechanism (details omitted).

4. Respond with an XHTML form

The SSO Service validates the request and responds with a document containing an XHTML form:

The value of the  parameter has been preserved from step 3. The value of the  parameter is the base64 encoding of the following   element:

5. Request the Assertion Consumer Service at the SP

The user agent issues a POST request to the Assertion Consumer Service at the service provider:

where the values of the  and   parameters are taken from the XHTML form at step 4.

6. Redirect to the target resource

The assertion consumer service processes the response, creates a security context at the service provider and redirects the user agent to the target resource.

7. Request the target resource at the SP again

The user agent requests the target resource at the service provider (again):

https://sp.example.com/myresource

8. Respond with requested resource

Since a security context exists, the service provider returns the resource to the user agent.