Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. User attempts to access a resource
  2. SP asks the user where they are from
  3. User tells the SP where they are from
  4. SP looks up the entityID of the IdP (our own software provides organisation names and entityIDs as a value-paired list) 
  5. SP software uses entityID to look up the relevant part of the federation metadata that describes that organisation - mainly how and where to send a SAML request to the user's IdP
  6. SP software redirects user's browser to their IdP with a signed SAML request (HTTP-REDIRECT)
  7. User arrives at the IdPs login page
  8. User is challenged for credentials if they have no existing session with the IdP.
    1. User journey ends here if authentication fails.
  9. IdP creates a response containing relevant attributes and encodes it
  10. IdP returns the user's browser to the SP with a signed SAML response (HTTP_-POST)
  11. SP receives the SAML response, decodes it and looks at the attributes
  12. SP authorises access (or not) based on those attributes