SSO with POST binding
14.2. SAML web browser SSO with POST binding

With POST binding the SAML assertion issued by the Airlock IAM (IDP) is transmitted through the clients' web browser to the SP. If possible, Artifact Binding should be used for various reasons (see below).

  • 1.
    (Optional; this step can be skipped) The user tries to access the service provided by the SP with his browser. Since the user is not authenticated, he will be redirected to Airlock IAM to obtain the Assertion. This redirect contains an 'Authentication Request' of the SP so that Airlock IAM knows where the user initially intended to go.
  • If this step is performed, the process is called "SP initiated SSO", otherwise (when the user starts on the IDP which 'somehow' has to know where to send the user to) it is called "IDP initiated SSO".

  • 2.
    Airlock IAM authenticates the user and after successful authentication generates a SAML Assertion containing the information that the user was authenticated (note that the SAML Assertion can also contain additional information about the user and the authentication performed).
  • 3.
    Airlock IAM sends the SAML assertion as part of a HTML-Form (including a JavaScript for automatic form submission) to the browser.
  • 4.
    The browser executes the JavaScript and submits the SAML Assertion to the SP. Then the SP validates the SAML Assertion and decides whether it accepts the assertion. If the assertion was accepted by the SP, access to the service provided by the SP is granted.

Note that if Airlock IAM is used behind Airlock Gateway (WAF) the first request (sign-on attempt) typically goes directly to Airlock IAM rather than to the SP since Airlock Gateway (WAF) prevents the user from contacting the SP directly.

  • No direct communication path between Airlock IAM and the SP has to exist.
  • The web browser must support JavaScript.
  • The content of the SAML assertions can be read on the system running the browser (which can be mitigated by optionally encrypting the contents).
  • POST binding might not be possible when using the cookie attribute SameSite=Lax and the SP is situated on another domain.