Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

How does this actually happen, and how does it fit with IdP and SP configuration? What other pieces are involved?

Table of Contents
minLevel3

1. User Accesses Protected Resource

...

Tip
titleCookie Set by SP

During this step, the SP will preserve the original resource requested by the browser using a "relay state" mechanism, which is configured by a relayState property on the <SessionInitiator> element. The default mechanism relies does not rely on a cookie any longer, but many systems do, and sends send a state management cookie containing the resource URL to the client along with the request prepared for the IdP or DS/WAYF.

...

The user's information is packaged into a form suitable for the eventual response using the encoders attached earlier, typically in a SAML assertion. This assertion may be signed with the IdP's key and, in the case of a SAML 2.0 assertion, encrypted with the SP's key for security and privacy. The assertion (or a reference to it called an artifact) is placed into a response that is passed through the client browser for delivery back to the SP to an endpoint called an Assertion Consumer Service.

5. Back to the SP

The browser delivers the response from the IdP to an Assertion Consumer Service endpoint at the SP. The ACS implementation decodes the message, decrypts the assertion if necessary, and performs a variety of security checks. If everything is in order, then the SP will create a new user session after extracting attributes and other information from the message. Attributes are translated into a cacheable form using the SP's AttributeExtractor, passed through an AttributeFilter, and cached in the new session along with other relevant information.

...

Tip
titleCookie Read by SP

The "relay state" information returned by the IdP, if any, will have been created by the SP and by default if using a cookie, will point to a specially named cookie that should accompany the authentication response supplied to the ACS endpoint in this step. This is the cookie set in Step 2 above. If this cookie is missing (or if no relay state exists at all), the associated application's homeURL property is substituted as a fall back.

...

Tip
titleCookie Set by SP

The SP will associate the browser with the newly created session by sending a cookie containing a session key to the client as part of the redirection to the resource.

6. Back to the Protected Resource

In the final step, the browser is redirected to the protected resource accessed in Step 1, but this time the access occurs in the context of a session stored within the SP's SessionCache.

...