Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Client sends user to SSO for authentication.
  2. The user authenticates with the SSO server, usually with a username/password.
  3. The SSO returns an assertion to the Client, proving that the current user has authenticated.
  4. The Client requests an OAuth Token from the Authorization Server, including the SAML Assertion.
  5. The Authorization Server verifies the assertion was signed by a trusted IDP and returns an OAuth Token.

Example:

Pros & Cons:

  • User only has to authenticate once.
    • However in the normal scenarios, if the Authorization Server uses the same SSO IDP, when the user is sent to authenticate they will already have a session and be returned immediately.  The end result is that the user only gets prompted for their username/password once.
  • The SAML Assertion has to be in a format that both the Client and Authorization Server can process. 
    • In particular, the WSO2's Identity Server has configurations for extracting and transforming SAML assertions but these are not available in the SAML2 Bearer Assertion grant type.

Notes:

Below is the code used on https://www.websequencediagrams.com/ to generate the diagrams above.

...