Show TOC

SSO with SAML 2.0Locate this document in the navigation structure

Use

SAML provides a standard for cross-domain Single Sign-On (SSO). Other methods exist for enabling cross domain SSO, but they require proprietary solutions to pass authentication information across domains. SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.x. SAML 2.0 also supports service-provider-initiated SSO.

When the identity provider initiates SSO, you must maintain links on the identity provider system to the protected resources on the service providers. When you protect resources with SAML on a service provider, the service provider is configured to request authentication from the identity provider.

Process

SAML provides options to pass SAML messages back and forth between the identity provider and the service provider.

  • Front channel

    SAML messages are passed back and forth over the user agent with HTTP redirect or HTTP POST methods.

  • Back channel

    Only SAML artifacts are exchanged over the user agent by the identity provider and service provider. When a provider receives an artifact, it queries the other provider directly over SOAP.

Back-channel communication provides additional security, by ensuring that potential eavesdroppers of the user agent only access the SAML artifacts. However, back-channel communication requires additional round trips to resolve an authentication request. You can protect front-channel communication with encryption and digital signatures. You can mix the communication options.

Front-Channel Communication

The following figure illustrates service-provider-initiated SSO with front-channel communication.

Figure 1: Process Flow for Front-Channel SSO with SAML 2.0
  1. A user attempts to access resource protected by SAML 2.0.

  2. The service provider redirects user to an identity provider for authentication.

  3. The identity provider queries user for authentication credentials.

  4. The user or user agent presents the requested credentials.

  5. The identity provider returns the user to the service providers with an authentication response.

  6. The service provider presents the requested resource to the user.

Back-Channel Communication

The following figure illustrates service-provider-initiated SSO with back-channel communication.

Figure 2: Process Flow for Back-Channel SSO with SAML 2.0
  1. A user attempts to access resource protected by SAML 2.0.

  2. The service provider redirects user to an identity provider and includes a SAML artifact referring to the authentication request.

  3. The identity provider gets the authentication request from the service provider over a SOAP channel.

  4. The identity provider queries the user for authentication credentials.

  5. The user or user agent presents the requested credentials.

  6. The identity provider returns the user to the service providers with a SAML artifact referring to the authentication response.

  7. The service provider gets the authentication response from the identity provider over a SOAP channel.

  8. The service provider presents the requested resource to the user.