SP-Initiated SSO

Service Provider initiated Single Sign-On using the SAML 2.0 Web Browser SSO Profile (saml-profiles §4.1). The SP detects an unauthenticated user, generates an AuthnRequest, and redirects the user to the IdP for authentication. After successful authentication, the IdP returns a signed SAML Response containing an Assertion with the user's identity. This is the most common SAML SSO flow in enterprise environments.

Try in Looking Glass
XML-BasedSSO

Sequence Diagram

Click any step for details

UserSPIdP1User Accesses SP Resource2SP Creates AuthnRequest3Redirect to IdP4User Authenticates5IdP Creates Response6Response to SP via POST7SP Validates Response8Session Created
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
User Accesses SP Resource
UserService Provider
2
SP Creates AuthnRequest
Service ProviderService Provider
3
Redirect to IdP
Service ProviderIdentity Provider
4
User Authenticates
UserIdentity Provider
5
IdP Creates Response
Identity ProviderIdentity Provider
6
Response to SP via POST
Identity ProviderService Provider
7
SP Validates Response
Service ProviderService Provider
8
Session Created
Service ProviderUser

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Security & privacy

· Dedicated security and privacy considerations.