Content

How SAML Works

SAML SSO works by transferring the user’s identity from one place (the identity provider-client) to another (the service provider-Policy Manager). This is done through an exchange of digitally signed XML documents.

Consider the following scenario: A user is logged into a system that acts as an identity provider. The user wants to log in to a remote application, such as the Policy Manager™ application (the service provider). The following happens:

1. The user accesses the remote application (i.e Policy Manager™) using a link on an intranet, a bookmark, or similar and the application loads.
2. The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider (client), asking for authentication. This is the authentication request <AuthnRequest>.
3. The user either has an existing active browser session with the identity provider (client) or establishes one by logging into the identity provider (client).
4. The identity provider (client)  builds the authentication response <saml response> in the form of an XML-document containing the user’s username, email, firstname, lastname, department, userTitle, Site, and Profile; signs it using an X.509 certificate, and posts this information to the service provider (Policy Manager™).
5. The service provider (Policy Manager™), which already knows the identity provider (client) and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
6. The identity of the us established and the user is provided with app access.