...
- Client sends user to SSO for authentication.
- The user authenticates with the SSO server, usually with a username/password.
- The SSO returns an assertion to the Client, proving that the current user has authenticated.
- The Client requests an OAuth Token from the Authorization Server, including the SAML Assertion.
- The Authorization Server verifies the assertion was signed by a trusted IDP and returns an OAuth Token.
Example:
Pros & Cons:
- User only has to authenticate once.
- However in the normal scenarios, if the Authorization Server uses the same SSO IDP, when the user is sent to authenticate they will already have a session and be returned immediately. The end result is that the user only gets prompted for their username/password once.
- The SAML Assertion has to be in a format that both the Client and Authorization Server can process.
- In particular, the WSO2's Identity Server has configurations for extracting and transforming SAML assertions but these are not available in the SAML2 Bearer Assertion grant type.
Notes:
Below is the code used on https://www.websequencediagrams.com/ to generate the diagrams above.
...