1.- A user opens their web-browser and goes to travelocity.com which stores all of their info. travelocity.com doesn't handle authentication itself.
2.- To authenticate the user travelocity.com constructs a SAML Authnrequest, signs it (public certification), optionally encrypts it, and encodes it. After which, it redirects the user's web browser to the Identidy Provider (IdP) in order to authenticate. The IdP receives the request, decodes it, decrypts it if necessary, and verifies the signature (public certification of travelocity.com).
3.-Login Page. With a valid Authnrequest the IdP will present the user with a login form in which they can enter their username and password.
4.- Once the user has logged in, the IdP generates a SAML token that includes identity information about the user (such as their username, email, etc). The Id takes the SAML token and redirects the user back to the Service Provider (travelocity.com).
5.- Access Control Decision: travelocity.com verifies the SAML token, decrypts it if necessary, and extracts out identity information about the user, such as who they are and what their permissions might be. travelocity.com now logs the user into its system, presumably with some kind of cookie and session.
6.-At the end of the process the user can interact with travelocity.com as a logged in user. The user's credentials never passed through travelocity.com, only through the Identity Provider.
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
No comments:
Post a Comment