[Prev]

11.1 Brief Overview of Control Flow

The SAML 2.0 specifications mandate a wire protocol, and in order to speak the wire protocol, the SP application typically has to follow certain standard sequence of control flow.


Fig-2: Typical control flow of ZXID SP

First a user ((The user is often referred to as "Principal" in more technical jargon. Although the human user and web browser are distinct entities, we do not stress that separation here. Whatever user "does" really will, in protocol, appear as web browser sending requests.)) tries to access a web site that acts in SP role. This triggers following sequence of events

  1. User is redirected to URL in a common domain. This is so that we can read the Common Domain Cookie that indicates which IdP the user uses. Alternatively, if you started at https://sp1.zxidsp.org:8443/zxid?o=E, the CDC check is by-passed and flow 2b. happens.

  2. After the CDC check, a Authentication Request (AuthnReq) is generated. The IdP may have been chosen automatically using CDC (2a), or there may have been some user interface interaction (not show in the diagram) to choose the IdP.

  3. User is redirected to the IdP. The redirection carries as a query string a compressed and encoded form of the SAML 2.0 AuthnReq.

  4. Once the IdP has authenticated the user, or observed that there already is a valid IdP session (perhaps from a cookie), the IdP redirects the user back to the SP.

    The AuthnResponse may be carried in this redirection in a number of alternate ways

    1. The redirect contains a special token called artifact. The artifact is a reference to the AuthnResponse and the SP needs to get the actual AuthnResponse by using a SOAP call (the 4bis step).

    2. The "redirect" is actually a HTML page with a form and little JavaScript that causes the form to be automatically posted to the SP. The AuthnResponse is carried as a form field.

  5. After verifying that AuthnResponse indicated a success, the SP establishes a local session for the user (perhaps setting a cookie to indicate this).

    Depending on how the SP to web site integration is done the user is taken to the web site in one of the two ways

    1. Redirect to the content. This time the session is there, therefore the flow passes directly from check session to the web content.

    2. It is also possible to show the content directly without any intervening redirection.

[Prev | Next]