Standard SP-initiated SSO process

The following diagram summarizes the SP-initiated SSO process.

Standard SP-initiated SSO process

As shown in the diagram, the SP-initiated process steps are:

1. User, who is currently not logged onto the Infinite BrassRing Platform site, attempts to access a protected Infinite BrassRing Platform resource. If available, then a SSO cookie is submitted along with the request to the Infinite BrassRing Platform login page. SSO cookie is available if, for example, a user has already logged on to the Infinite BrassRing Platform using this browser.

   The SSO cookie submission results in one of three possible scenarios.

   Scenario 1: SSO cookie does not exist. If this is the case, then Step 2 is:

   
   Refer to the Enhanced User Experience SP-Initiated SSO section of this document.

   
   Scenario 2: SSO cookie exists, and indicates that the last browser user was SSO enabled. If this is the case, then Steps 2 through 11 are:

2. Federation server generates a SAML request.

3. Federation server returns HTML form to browser, with the IdP's SAML request for authentication.

4. HTML form is automatically posted to IdP's SSO service.

5. IdP's SSO service:

   • Parses SAML request.

   • Authenticates user, either by requesting valid credentials or by checking for valid user session.

6. IdP federation server generates SAML response containing authenticated user's username. In accordance with SAML 2.0 specification, SAML artifact is digitally signed with customer's public and private certificates.

7. IdP federation server sends HTTP redirect containing the artifact through the browser to Infinite BrassRing Platform federation server.

8. Browser automatically posts HTML form back to Infinite BrassRing Platform as per HTTP redirect information.

9. Infinite BrassRing Platform SSO service verifies SAML response using IdP's public key.

10. If a valid assertion is received, then a session is established on the Infinite BrassRing Platform and the browser is redirected to the target resource.

11. Session is established on Infinite BrassRing Platform and browser is redirected to target resource.

    Scenario 3: SSO cookie indicates that user is not SSO enabled. If this is the case, then Steps 10 and 11 are:

    10. The user is redirected to the Infinite BrassRing Platform login page for authentication.

    
    11. If the user's credentials are valid, then a session is established on the Infinite BrassRing Platform and the browser is redirected to the target resource.

    Once the user has been authenticated, either by the IdP's SSO service or the Infinite BrassRing Platform login page, a cookie is stored in the user's browser. This cookie will be used to identify the user's SSO status the next time the user tries to access a Infinite BrassRing Platform protected resource via the SP-initiated flow.