- User attempts to access a resource
- SP asks the user where they are from
- User tells the SP where they are from
- SP looks up the entityID of the IdP (our own software provides organisation names and entityIDs as a value-paired list)
- SP software uses entityID to look up the relevant part of the federation metadata that describes that organisation - mainly how and where to send a SAML request to the user's IdP
- SP software redirects user's browser to their IdP with a signed SAML request (HTTP-REDIRECT)
- User arrives at the IdPs login page
- User is challenged for credentials if they have no existing session with the IdP.
- User journey ends here if authentication fails.
- IdP creates a response containing relevant attributes and encodes it
- IdP returns the user's browser to the SP with a signed SAML response (HTTP_-POST)
- SP receives the SAML response, decodes it and looks at the attributes
- SP authorises access (or not) based on those attributes