About the SAML process

AD

Network supports SSO using Security Assertion Markup Language (SAML) 2.0 for both service provider (SP) initiated and identity provider (IdP) initiated models. For Network, both SSO models use HTTP POST binding.

IdP-Initiated SAML Login Process

The following steps detail how SAML login, using and IdP-initiated login flow, works for Network.

  1. Admin establishes a trust relationship between the IdP and the SP by providing a certificate to the SP that the IdP has generated. Any communication from the IdP to the SP has to be ‘signed’ with this certificate.
  2. A user logs into the IdP with her credentials.
  3. The user selects an application (SP) from a list managed by the IdP.
  4. The IdP returns a SAML response that is digitally signed by the IdP with its certificate.
  5. The browser takes the SAML response and posts it to the SP. The SP confirms that the response is properly signed and, if so, gives the user access to the application.

Identity Provider-Initiated SSO example

  • Tom arrives at work and logs into his SSO-enabled applications through the identity provider’s portal.
  • When he subsequently opens Network, he bypasses the login screen and goes directly to his inbox, because he has already logged in through the identity provider.

SP-Initiated SAML Login Process

The following diagram and steps detail how SAML login, using and SP-initiated login flow, works for Network.

  1. Admin establishes a trust relationship between the IdP and the SP by providing a certificate to the SP that the IdP has generated. Any communication from the IdP to the SP has to be ‘signed’ with this certificate.
  2. The user opens the application (SP) website.
  3. If the user’s authentication doesn’t exist because she has never logged in or the session has expired, the SP contacts the IdP by sending a SAML AuthnRequest. The following steps apply only if the user is not already authenticated.
  4. The IdP displays a login window for the user.
  5. The user logs into the IdP with her credentials.
  6. The IdP returns a SAML response that is digitally signed by the IdP with its certificate. The browser takes the SAML response and posts it to the SP.
  7. The SP confirms that the response is properly signed and, if so, gives the user access to the application.

Service Provider-Initiated SSO example

  • Tracy arrives at work and opens Network directly.
  • From Network, she’s redirected to the identity provider’s login portal.
  • She is then redirected back to Network.