Trying to understand SSO, IDP and SP

Hi;

I am trying to understand SSO concept.

Here in the link, http://lersse-dl.ece.ubc.ca/record/285/files/websso_usability_journal.pdf at page 7, Figure 1a, I see a flow that the client starts the initiation via IDP and it is redirected to IDP and authentication is done.
1) At this point, has the authentication been done?
2) and, why is there another redirection to RP (4)?

My other questions are that in https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile at section Web Browser SSO Profile,
3) I couldn't differentiate the order in sections between SP POST Request; IdP POST Response and SP Redirect Artifact; IdP Redirect Artifact. Can you explain?
4) And comparing to the above question 3, is RP representing SP?
5) And finally, is the SSO authentication ordered always as from Client->IDP->SP? Or can this order be changed?
LVL 12
jazzIIIloveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mccarlIT Business Systems Analyst / Software DeveloperCommented:
I see a flow that the client starts the initiation via IDP

I don't see that. I would say that the flow starts with the client and the RP (the RP being the site that you want to log in to). This is when you get the picture like in Figure 1b, where you have a number of options to sign in with your Facebook, Twitter, Google, etc, etc account. You click on one of those buttons and then the RP redirects you to the appropriate IdP page

1) At this point, has the authentication been done?

At what point, there are a number of "points" in the flow in that figure. Do you mean "at the point where all flows (1 to 4) have completed"? If so, then yes, at that point you have been authenticated via your FB account (or whatever you chose) and now the website at the RP that you really are wanting to use knows who you are.

2) and, why is there another redirection to RP (4)?

Well, otherwise, you'd still be on the IdP website and you can't do much there. You get redirected back to the RP so that you can do whatever you originally went to RP's site to do.

3) I couldn't differentiate the order in sections between SP POST Request; IdP POST Response and SP Redirect Artifact; IdP Redirect Artifact. Can you explain?

There isn't a lot of difference in the ORDER, the only difference is how the SP and IdP communicate the information that they need to exchange. In the POST example, the data (that SAML XML data) that the SP needs to provide to the IdP can be included in the form which then gets posted to the IdP. ANd the same for the data that the IdP eventually sends back to the SP.

However, in the case of using "redirects", this data can't be included directly in the redirect because the only place to put it would be in the redirect URL but there are limitations on the size of data to include there, and so instead of including it directly, the SP puts an "artificatId" and then the IdP DIRECTLY communicates with the SP to resolve the actual data associated with the artifactId. And then the same needs to happen to get the data from the IdP back to the SP once the authentication completes.

4) And comparing to the above question 3, is RP representing SP?

Correct, the RP (relying party) relies on the IdP to authenticate a user, but it is also the SP (service provider) that is trying to provide a service to an authenticated user. So, yes they are the same thing, it is the website that you are actually trying to use.

5) And finally, is the SSO authentication ordered always as from Client->IDP->SP? Or can this order be changed?

I would actually say that it is "Client->IDP->SP" at all. I would say that it is more Client->SP->IDP->SP, ie. the client asks the SP to do something, the SP determines that only authenticated users can do that something and so if not authenticated, the SP directs the use to the IDP to perform the authentication, and once that's done you are directed back to the SP (now as an authenticated user) to finally do that "something" that you wanted to do in the first place.

So no, I can't see how you can change the order of that. Although, some steps may get skipped at certain stages for various reasons. ie. once you initially authenticate, you now have a session with the SP and so it would just look like "Client->SP", etc.


I hope that helps you understand to processes better. Let us know if you have further questions?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jazzIIIloveAuthor Commented:
Clean and detailed.
mccarlIT Business Systems Analyst / Software DeveloperCommented:
You're welcome
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.