Trying to understand SSO, IDP and SP

jazzIIIlove
jazzIIIlove used Ask the Experts™
on
Hi;

I am trying to understand SSO concept.

Here in the link, http://lersse-dl.ece.ubc.ca/record/285/files/websso_usability_journal.pdf at page 7, Figure 1a, I see a flow that the client starts the initiation via IDP and it is redirected to IDP and authentication is done.
1) At this point, has the authentication been done?
2) and, why is there another redirection to RP (4)?

My other questions are that in https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile at section Web Browser SSO Profile,
3) I couldn't differentiate the order in sections between SP POST Request; IdP POST Response and SP Redirect Artifact; IdP Redirect Artifact. Can you explain?
4) And comparing to the above question 3, is RP representing SP?
5) And finally, is the SSO authentication ordered always as from Client->IDP->SP? Or can this order be changed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT Business Systems Analyst / Software Developer
Top Expert 2015
Commented:
I see a flow that the client starts the initiation via IDP

I don't see that. I would say that the flow starts with the client and the RP (the RP being the site that you want to log in to). This is when you get the picture like in Figure 1b, where you have a number of options to sign in with your Facebook, Twitter, Google, etc, etc account. You click on one of those buttons and then the RP redirects you to the appropriate IdP page

1) At this point, has the authentication been done?

At what point, there are a number of "points" in the flow in that figure. Do you mean "at the point where all flows (1 to 4) have completed"? If so, then yes, at that point you have been authenticated via your FB account (or whatever you chose) and now the website at the RP that you really are wanting to use knows who you are.

2) and, why is there another redirection to RP (4)?

Well, otherwise, you'd still be on the IdP website and you can't do much there. You get redirected back to the RP so that you can do whatever you originally went to RP's site to do.

3) I couldn't differentiate the order in sections between SP POST Request; IdP POST Response and SP Redirect Artifact; IdP Redirect Artifact. Can you explain?

There isn't a lot of difference in the ORDER, the only difference is how the SP and IdP communicate the information that they need to exchange. In the POST example, the data (that SAML XML data) that the SP needs to provide to the IdP can be included in the form which then gets posted to the IdP. ANd the same for the data that the IdP eventually sends back to the SP.

However, in the case of using "redirects", this data can't be included directly in the redirect because the only place to put it would be in the redirect URL but there are limitations on the size of data to include there, and so instead of including it directly, the SP puts an "artificatId" and then the IdP DIRECTLY communicates with the SP to resolve the actual data associated with the artifactId. And then the same needs to happen to get the data from the IdP back to the SP once the authentication completes.

4) And comparing to the above question 3, is RP representing SP?

Correct, the RP (relying party) relies on the IdP to authenticate a user, but it is also the SP (service provider) that is trying to provide a service to an authenticated user. So, yes they are the same thing, it is the website that you are actually trying to use.

5) And finally, is the SSO authentication ordered always as from Client->IDP->SP? Or can this order be changed?

I would actually say that it is "Client->IDP->SP" at all. I would say that it is more Client->SP->IDP->SP, ie. the client asks the SP to do something, the SP determines that only authenticated users can do that something and so if not authenticated, the SP directs the use to the IDP to perform the authentication, and once that's done you are directed back to the SP (now as an authenticated user) to finally do that "something" that you wanted to do in the first place.

So no, I can't see how you can change the order of that. Although, some steps may get skipped at certain stages for various reasons. ie. once you initially authenticate, you now have a session with the SP and so it would just look like "Client->SP", etc.


I hope that helps you understand to processes better. Let us know if you have further questions?
Clean and detailed.
mccarlIT Business Systems Analyst / Software Developer
Top Expert 2015

Commented:
You're welcome

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial