Understand the SAML process

• Understand the SAML process
  • Subjects involved in the SAML agreement
  • Initiate the whole process from SAML login to successful login
  • Communication between SP and IdP

This article tells readers about the data interaction process among the three entities of SP, IdP, and browser in SAML.

Subjects involved in the SAML agreement

When using SAML protocol for identity authentication, the following three subjects are involved

Browser: SP and IdP communicate with each other via browser

SP: Resource provider

IdP: Identity authentication provider

Initiate the whole process from SAML login to successful login

1. The user tries to log in to the application provided by the SP.
2. The SP generates a SAML Request, redirects the browser, and sends the SAML Request to the IdP.
3. The IdP parses the SAML Request and redirects the user to the authentication page.
4. The user completes the login on the authentication page.
5. The IdP generates a SAML Response, redirects the browser, and returns the SAML Response to the SP's ACS address, which contains the SAML Assertion to determine the user's identity.
6. The SP verifies the content of the SAML Response.
7. The user successfully logs in to the application provided by the SP.

Communication between SP and IdP

The communication methods between SP and IdP are divided into HTTP Redirect Binding, HTTP POST Binding, HTTP Artifact Binding. Each method uses different types of HTTP to communicate with each other at different stages.

HTTP Redirect Binding

The SP sends the SAML Request to the IdP by redirecting the GET request, and the IdP sends the SAML Response to the SP in the form of a POST request through the immediately submitted Form.

HTTP POST Binding

The IdP sends the SAML Request to the SP in the form of a POST request through the immediately submitted Form. The IdP sends the SAML Response to the SP in the form of a POST request through the immediately submitted Form.

HTTP Artifact Binding

The SP and IdP only exchange the index numbers of SAML Request and SAML Response through the browser. After receiving the numbers, they request the Artifact Resolution Service interface of the other party to obtain the actual request entity content. This prevents SAML Request and SAML Response from being exposed on the front end.