SAML flows

Principals or users may try to access an application from one of the following flows:

Identity provider (IdP) flow: The principal launches applications to the service provider (SP) resource. In EAA, this happens from the EAA Login Portal after a user has authenticated. When the user clicks on an application icon, a SAML assertion (authentication) is sent over to the SP Assertion Consumer Service (ACS) and the user is signed into the service without needing to provide credentials again.

EAA SAML IdP initiated flow
Service Provider (SP) flow: SP flows are dependent on the target application. Generally, the SP flow is:
  1. From a browser the principal attempts to go directly to the web resource without authenticating.
  2. The principal is redirected to the IdP to authenticate.
  3. Once authenticated the principal is redirected back to the web resource.
EAA can act as the SP in the case where principals are accessing identities managed by third-party IdPs such as Ping. In this case, EAA is the resource and the authentication request for the principal is sent to the IdP. The IdP then redirects the principal to EAA. For example, when a user accesses a SaaS application using the application’s hostname, the SP flow begins by generating a SAML Authentication Request that is redirected to the EAA SAML IdP.
EAA SAML IdP (SP initiated flow)

Next steps: Add a new identity provider