File:Authentication Sequence with SAML.png

Created via http://sequencediagram.org/, licensed under the terms of the MPLv2 license. Copyright (c) kang@insecure.ws

Source: title Authentication Sequence with SAML

participant "User's Browser (User-Agent)" as UserAgent participant "Website (Relying Party/Service Provider)" as RP participant "SAML Provider (SAML "IdP"/OP)" as OP participant "LDAP, GitHub, etc. (True IdP)" as IdP

note over UserAgent: User visits https://rp.example.net to perform login UserAgent->RP: GET https://rp.example.net/

RP->RP: GET https://rp.example.net/login?ReturnTo=https://rp.example.net&IsPassive=false&IdP=urn:op.example.net RP->OP: Request SAML assertion parameters OP->RP: XML <parameters> UserAgent->OP: GET https://op.example.net/samlp/client_identifier OP->OP: Perform SAML=>OIDC parameter translation internally (This is Mozilla-specific) OP->IdP: authenticate user (via SAML, OIDC or other means) IdP->OP: return user attributes OP->OP: Perform OIDC=>SAML parameter translation internally (This is Mozilla-specific)

OP->UserAgent: 302 Redirect to https://rp.example.net/callback?[...] (redirect_uri/recipient URL) UserAgent->RP: GET https:\/\/rp.example.net/callback?[...] note left of RP:POST /callback parameters: SAMLResponse in base64 XML:\n<saml:Issuer>op.example.net</saml:Issuer>\n<SignatureValue>1Fgpt7AaHcME2...</SignatureValue>\n<saml:SubjectConfirmationData NotOnOrAfter="2016..</>\n<saml:Attribute Name=...</>\n[...]

RP->RP: Verify assertion response signature is valid, signed by OP

RP->UserAgent: 302 Redirect https://rp.example.net/ note over UserAgent: User is authenticated to https:\/\/rp.example.net