Technical Guides
      Back to home
      1. Knowledge Base
      2. Technical Guides

      What is the process wherein a web app (SP) communicates with an external identity provider (IDP) such as SurePassID SAML IdP for authentication?

      What happens when a web app uses an external IDP and a user signs in?

      Part 2: SAML2 Authentication Flow (Runtime)
      This is what happens when a user tries to log into your web app using the external IdP.
      1. User Tries to Access the Web App (SP):
        • The user visits https://yourapp.com and clicks "Login with SSO."
        • The SP checks: "This user needs to authenticate via the IdP."
      2. SP Creates an Authentication Request:
        • The SP generates a SAML AuthnRequest (a secure message).
        • It includes:
          • The SP’s Entity ID (e.g., https://yourapp.com/saml2).
          • The ACS URL (where the IdP should send the response).
        • The request may be signed with the SP’s private key for security.
      3. SP Sends the Request to the IdP:
        • The user’s browser is redirected to the IdP’s SSO URL (e.g., https://idp.example.com/sso) with the AuthnRequest attached (often as a URL parameter or POST data).
      4. IdP Authenticates the User:
        • The IdP receives the request and checks its validity (e.g., verifies the SP’s signature).
        • If the user isn’t logged in, the IdP shows a login page (username/password, MFA, etc.).
        • The user enters their credentials, and the IdP verifies them.
      5. IdP Creates a SAML Response:
        • Once authenticated, the IdP generates a SAML Assertion (a secure message).
        • It includes:
          • The user’s identity (e.g., email or username).
          • The Audience URL (must match the SP’s Entity ID).
          • A signature (using the IdP’s private key) to prove it’s legit.
        • The assertion is often encrypted with the SP’s public certificate.
      6. IdP Sends the Response Back to the SP:
        • The user’s browser is redirected to the SP’s ACS URL (e.g., https://yourapp.com/saml2/acs) with the SAML Assertion attached.
      7. SP Processes the Response:
        • The SP receives the assertion and:
          • Verifies the IdP’s signature using the IdP’s public certificate.
          • Decrypts the message (if encrypted) using the SP’s private key.
          • Checks the Audience URL matches its Entity ID.
        • If everything checks out, the SP logs the user in and creates a session.
      8. User Access Granted:
        • The user is now logged into the web app and can use it as intended.