IdP-initiated Single Sign-On

In IdP-initiated SSO, the user starts at the IdP site, logs in and clicks a link to the SP site which initiates SSO.
The following diagram outlines the IdP-initiated SSO flow.

<v:shapetype id=“_x0000_t75” stroked=“f” filled=“f” path=“m@4@5l@4@11@9@11@9@5xe” o:preferrelative=“t” o:spt=“75” coordsize=“21600,21600”> <v:stroke joinstyle=“miter”> <v:formulas> <v:f eqn=“if lineDrawn pixelLineWidth 0”> <v:f eqn=“sum @0 1 0”> <v:f eqn=“sum 0 0 @1”> <v:f eqn=“prod @2 1 2”> <v:f eqn=“prod @3 21600 pixelWidth”> <v:f eqn=“prod @3 21600 pixelHeight”> <v:f eqn=“sum @0 0 1”> <v:f eqn=“prod @6 1 2”> <v:f eqn=“prod @7 21600 pixelWidth”> <v:f eqn=“sum @8 21600 0”> <v:f eqn=“prod @7 21600 pixelHeight”> <v:f eqn=“sum @10 21600 0”> </v:f> <v:path o:connecttype=“rect” gradientshapeok=“t” o:extrusionok=“f”> <o:lock aspectratio=“t” v:ext=“edit”></o:lock><v:shape id=“_x0000_i1025” style=“width: 6in; height: 276pt;” type=“#_x0000_t75” o:ole=“”> <v:imagedata o:title=“” src=“file:///C:\Users\Gavin\AppData\Local\Temp\msohtmlclip1\01\clip_image001.emz”>

  1. The user browses to the IdP site.

  2. If the user is not already authenticated at the IdP, the user must present their credentials and login.

  3. The user clicks a link to the SP site.

  4. The IdP sends a SAML response containing a SAML assertion to the SP.

  5. The SP uses the information contained in the SAML assertion, including the user’s name and any associated attributes, and performs an automatic login.

Note that steps 2 and 3 may be in reverse order.