SAML 2.0 Web SSO: Protocol Flow

I am going to let you know about the SAML protocol flow and how the request-response are passing among the client, IdP, and SP in this post. Hope you will get a clear understanding about the content at the end.

You might have a clear idea about three SAML parties, The Principal, The IdP, and The SP from the previous post. First, let’s look at the complete flow as follows.

Let’s understand the flow first!

1. The client requests a target(required) resource from the SP. But here, SP doesn’t know about the client and SP requires to provide resources for only trusted clients. To do so, the SP needs a help from an IdP. That is where the IdP comes into play.
2. This is the step that the SP chooses an IdP to redirect users for validation. “Discover IdP” is the complete process of choosing an IdP. This usually happens with the use of ‘Discovery Service’ of the SAML. Since it has quite broad scope, let me explain that in a future post ! Let’s continue this…
3. After discovering the IdP, SP redirects the client for the verification at IdP. More in deep, SP responds to the client’s request by ‘HTTP/1.1 302 Found’. This is the redirection with a location tag containing the redirect URL. A sample response is shown below :)

4. In this step, the client requests the service from the IdP using a GET request. It contains the content under the ‘Location’ tag of above step. There are basically three parameters as SAML Request, Signature, and Signature Algorithm in the request. You can see it under the Parameter tab if you use SAML tracer. A sample request is shown below 😃

5. In this step, IdP checks whether the client has already logged-in or not. This is where the sessions and cookies come into play. If the client does not have a valid session, IdP prompts a login page to the client. After the client login by providing credentials, IdP creates a new session for the client and creates SAML assertions with required details. The session management and cookies are doing a major part at IdP. Aslo, this is also a quite broad topic. Therefore, I keep it for a future post too… Enjoy the rest 👇

6. After creating assertions, IdP responds to the request including SAML assertions. This is also kind of a redirection for the client.

7. In the similar way, client request the Assertion Consumer Service after the response from the IdP. This is the ACS end-point at the SP. So, the SP consumes issued assertions at IdP for providing resources for the client.

7. After consuming assertions, the SP decides whether or not to provide the requested resources. Through the trust relation built with IdP, SP trusts the client and redirect him/her for the resource.

8. Using the redirection, client browser requests the resource again.

10. Finally the SP responds the requested service for the client. 😃

We are done!

Ohh wait few things to say! 😵 😵

Basically there are two ways to start this flow.

1. SP initiated SSO — The client directly goes to the SP and request the resource. This is the same thing I have explained throughout this post.
2. IdP initiated SSO — In here, the client goes to the IdP first and asking for a resource at the SP. To do this, there should be an URL for the client and he/she needs to use that URL for initiating. If the SSO starts in this way, then the above flow (first, main illustration) should be started from step 4. All the others are similar.

Small exercise for you, are you READY ❓

There are two scenarios as follows. You should identify them whether it is SP initiated SSO or IdP initiated SSO. You should give 2 claps if you are wrong, Of course! 4 claps if your are correct just for celebrating 😃 👏 👏

1. John: Hello Sam, here is Sahan, one of my best friends and 💯 percent trust him. By now, he needs to get a vehicle from your service. Can provide?
   Sam: Of course! if you surely trust him, I’ll give him a vehicle.
2. Sam: Hello John, there is a request for a vehicle from somebody, can you check whether he is known to you and trust?
   John: Yeah! I know and trust him. No problem to give him a vehicle.
   Sam: Okay! Then, I’ll give!

Time to answer yourself and applause. Please consider, this is very simple scenario. Think it as “Sam” trusts “John” and vice versa.

Thank you for reading and let’s meet with another simple reading soon!

Answer: 1 — IdP initiated SSO, 2 — SP initiated SSO