SAML flows

Principals, or users, may try to access an application from one of the following flows:

  • Identity provider (IdP) flow. The principal launches applications to the service provider (SP) resource. In Enterprise Application Access (EAA), this happens from the EAA Login Portal after a user authenticates them. When the user clicks on an application icon, a SAML assertion (authentication) is sent over to the SP Assertion Consumer Service (ACS). The user is signed into the service and does not need to enter their credentials again. The below scheme shows Enterprise Application Access SAML IdP initiated flow.

EAA SAML IdP initiated flow

Service Provider (SP) flow. SP flows are dependent on the target application. Generally, the SP flow is the following:

  1. From a browser the principal attempts to go directly to the web resource without authenticating.

  2. The principal is redirected to the IdP to authenticate.

  3. Once authenticated the principal is redirected back to the web resource.

Enterprise Application Access can act as the SP in the case where principals are accessing identities managed by third-party IdPs such as Ping. In this case, Enterprise Application Access is the resource and the authentication request for the principal is sent to the IdP. The IdP then redirects the principal to Enterprise Application Access. For example, when a user accesses a SaaS application using the application's hostname, the SP flow begins by generating a SAML Authentication Request that is redirected to the EAA SAML IdP. The below scheme Enterprise Application Access SAML IdP SP initiated flow.

EAA SAML IdP SP initiated flow