Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Say you are a globally distributed enterprise with thousands of branches. Each branch has it's own user store and manages it's own users. Also, each branch hosts it's own web applications. An a globally distributed enterprise with so many branches, it is useful to know how to enable single sign-on across branches in a highly scalable manner. For the purposes of describing this scenario, let's consider two domains, i.e., Foo and Bar. The following image depicts the process.

Image RemovedImage Added

  1. The user in Domain Foo tries to access a Web App in the same domain.
  2. The Web App finds out that the user is not authenticated and the user is redirected to the SAML2 IdP in the same domain.
  3. SAML2 IdP finds out that the user does not have an authenticated session and the user is prompted for authentication. Once authenticated, SAML2 IdP redirects the user to the Web App with the SAML2 Response. Additionally, a cookie is written for the user's browser under the Foo SAML2 IdP domain.
    Image RemovedImage Added
  4. Now the user from Domain Foo tries to access a Web App in Domain Bar. When the request to Domain Bar is initiated from Domain Foo, a proxy in Domain Foo adds a special HTTP Header [federated-idp-domain] to indicate which domain generates the request.
  5. The Web App in Domain Bar finds out the user is not authenticated and redirects the user to the SAML2 IdP in it's own domain [Domain Bar].
  6. The SAML2 IdP in Domain Bar figures out that the user does not have an authenticated session and also reads federated-idp-domain HTTP Header and finds out from where the request was initiated and redirects the user to it's own domain - Domain Foo. Here the Domain Bar IdP creates a SAML2 Request and sends that to the SAML2 IdP in Domain Foo.
  7. Domain Foo IdP checks whether the user has an authenticated session. By referring to the cookie, Foo IdP finds out that the user is already authenticated and sends back a SAML2 Response to the SAML2 IdP in Domain Bar.
  8. Bar IdP validates the SAML2 Response and redirects the user back to the Web App in Domain Bar. Now the user can log in to the Web App. Bar IdP also writes a cookie to user's browser under its own domain.
    Image RemovedImage Added
  9. Now the user from Domain Foo tries to access another Web App in Domain Bar. When the request to the Domain Bar initiated from the Domain Foo, a proxy in the Domain Foo adds a special HTTP Header [federated-idp-domain] to indicate from which domain the request is being generated.
  10. The Web App in Domain Bar finds out the user is not authenticated and redirects to the SAML2 IdP in its own domain [Domain Bar].
  11. The SAML2 IdP in Domain Bar figures out that the user has an authenticated session, by checking the cookie which it wrote in step-8. The user is redirected back to the Web App with the SAML2 Response. Now the user can log in to the Web App.

...