miniOrange can write a custom connector for any application server of your choice including JBoss, Tomcat, Weblogic, Websphere and even Spring.
SP Initiated SSO (Single Sign On) Flow
Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications.
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context.
SAML SSO works by transferring user identities from one place(Service Provider) to another(Identity Provider).
Steps for SP Initiated SSO Flow :
For Example : The User wants to log in to remote application , such as support or accounting application etc.
The user accesses the application using a link on an intranet or similar type of application loads.
The application identifies the user’s origin (by user IP address) and redirects the user back to the identity provider, asking for authentication. This is the authentication request (SSO URL).
The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
The identity provider builds the authentication response in the form of an XML-document containing the user’s username or email address and posts this information (SAML Assertion/Response) to the service provider.
The service provider, which already knows the identity provider , retrieves the authentication response (SAML Assertion/Response) and validates User.
The identity of the user is established and the user is successfully logged in to the application.
IDP initiated SSO (Single Sign On) Flow
IdP is a system entity who is simply going to provide the identity of users and it includes creating and maintaining users. IdPs maintains user information and provide this information on demand to service providers to complete the SSO flow. User would need to login into IdP site and will need to confirm his identity only once. And then from there if user wishes to reach out to any other site (which are linked with IdP) then he won’t need to confirm his identity again.
Steps for IdP Initiated SSO Flow :
This flow is commonly used when IdP users need to access resources hosted by an SP.
A user has logged on to the IdP.
The user clicks a link (IdP initiated URL) or otherwise requests access to a protected SP resource.
Optionally, the IdP retrieves attributes from the user data store.
The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion. The browser automatically posts the HTML form back to the SP.
If the assertion (or Web Token) is valid, the SP establishes a session for the user and redirects the browser to the target resource.