With POST binding the SAML assertion issued by the Airlock IAM (IDP) is transmitted through the clients' web browser to the SP. If possible, Artifact Binding should be used for various reasons (see below).
- (Optional; this step can be skipped) The user tries to access the service provided by the SP with his browser. Since the user is not authenticated, he will be redirected to Airlock IAM to obtain the Assertion. This redirect contains an 'Authentication Request' of the SP so that Airlock IAM knows where the user initially intended to go.
- Airlock IAM authenticates the user and after successful authentication generates a SAML Assertion containing the information that the user was authenticated (note that the SAML Assertion can also contain additional information about the user and the authentication performed).
- Airlock IAM sends the SAML assertion as part of a HTML-Form (including a JavaScript for automatic form submission) to the browser.
- The browser executes the JavaScript and submits the SAML Assertion to the SP. Then the SP validates the SAML Assertion and decides whether it accepts the assertion. If the assertion was accepted by the SP, access to the service provided by the SP is granted.
If this step is performed, the process is called "SP initiated SSO", otherwise (when the user starts on the IDP which 'somehow' has to know where to send the user to) it is called "IDP initiated SSO".
Note that if Airlock IAM is used behind Airlock Gateway (WAF) the first request (sign-on attempt) typically goes directly to Airlock IAM rather than to the SP since Airlock Gateway (WAF) prevents the user from contacting the SP directly.
Advantages | Drawbacks |
|---|---|
|
|