IdP and SP initiated SAML flows
Identity provider (IdP)-initiated
In an IdP-initiated flow, a user first gets the SAML assertion from the identity provider. Then, the user goes to the service provider (SP) for authentication.
IdP-initiated SAML flow looks like this:
1. A user wants to access an application and goes to their IdP.
2. The user logs into the IdP and chooses the application.
3. The IdP forms a SAML assertion and signs it with the private key of a private/public key pair. (These keys are exchanged between the IdP and SP when SSO trust is set up.)
4. Then, the user goes to the application with the SAML assertion.
5. The application validates the SAML assertion, and upon successful validation, the user is provided access to the application.
Service provider (SP)-initiated
In an SP-initiated flow, a user first goes to the service provider and gets redirected to the IdP with a SAML request. Then, the user is sent back to the service provider with a SAML assertion.
SP-initiated SAML flow looks like this:
1. A user tries to access an application.
2. The application creates a SAML authentication request and sends it to the user's IdP. The user is redirected to their IdP.
3. The IdP asks the user to login and the user gets authenticated.
4. Once the user is authenticated, the IdP sends the SAML assertion to the application's assertion consumer service (ACS) URL.
5. The application validates the SAML assertion, and upon successful validation, the user is given access to the application.