SAML Flows

Introduction

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). SAML is primarily used to enable single sign-on (SSO) for users. Here are the key SAML flows:

1. SP-Initiated SSO Flow

In an SP-initiated SSO flow, the user attempts to access a service or resource provided by the SP. The SP then redirects the user to the IdP for authentication.

Steps:

  1. User Request: The user tries to access a protected resource on the SP.
  2. SP Redirects to IdP: The SP generates an authentication request and redirects the user to the IdP.
  3. User Authenticates: The user logs in at the IdP.
  4. IdP Sends SAML Response: Upon successful authentication, the IdP generates a SAML response (an assertion) and sends it back to the SP, usually through the user’s browser.
  5. SP Processes Response: The SP validates the SAML response and grants the user access to the requested resource.

2. IdP-Initiated SSO Flow

In an IdP-initiated SSO flow, the user begins the authentication process at the IdP.

Steps:

  1. User Logs in at IdP: The user logs into the IdP.
  2. IdP Generates SAML Response: The IdP generates a SAML response and sends it to the SP, typically through the user’s browser.
  3. SP Processes Response: The SP validates the SAML response and grants the user access to the service or resource.

3. SP-Initiated Single Logout (SLO) Flow

SP-initiated SLO allows a user to log out of a session at the SP and then be logged out of the IdP and all other SPs using the same IdP.

Steps:

  1. User Logs Out from SP: The user initiates a logout request from the SP.
  2. SP Sends Logout Request to IdP: The SP sends a SAML logout request to the IdP.
  3. IdP Sends Logout Request to Other SPs: The IdP forwards the logout request to other SPs where the user has active sessions.
  4. Other SPs Confirm Logout: The other SPs confirm the logout to the IdP.
  5. IdP Confirms Logout to Original SP: The IdP sends a logout response to the original SP.
  6. SP Logs Out User: The original SP logs out the user and confirms the process is complete.

4. IdP-Initiated Single Logout (SLO) Flow

In an IdP-initiated SLO flow, the user logs out from the IdP, and this action triggers a logout from all SPs where the user has active sessions.

Steps:

  1. User Logs Out from IdP: The user initiates a logout request from the IdP.
  2. IdP Sends Logout Requests to SPs: The IdP sends logout requests to all SPs where the user has active sessions.
  3. SPs Confirm Logout: Each SP confirms the logout to the IdP.
  4. IdP Confirms Logout to User: The IdP confirms to the user that the logout process is complete.

Summary of Key Components

  • Identity Provider (IdP): The entity that authenticates the user and provides the SAML assertion.
  • Service Provider (SP): The entity that consumes the SAML assertion to grant access to the user.
  • SAML Assertion: The XML document that the IdP sends to the SP containing user authentication and authorization information.
  • SAML Request: The XML document that the SP sends to the IdP to request authentication.
  • SAML Response: The XML document that the IdP sends to the SP in response to the authentication request, containing the SAML assertion.

By understanding these flows and components, you can effectively implement and troubleshoot SAML-based SSO in your environment.

  1. Hi, this is a comment. To get started with moderating, editing, and deleting comments, please visit the Comments screen in…

Scroll to Top