Introduction
SAML is a popular technology for handling Single Sign-on in an enterprise or academic setting. When a user tries to sign in to the Softadmin®-system their web browser is redirected to a web page at their organization's Identity Provider.
The login flow
The Identity Provider first checks if the user has already signed on to the Identity Provider, for example because they have already used another of their organization's systems.
If the user is not recognized then they must first authenticate with the Identity Provider, by logging in with username and password or any other authentication method chosen by the organization.
Once the Identity Provider knows who the user is it checks if the user is authorized to use the Softadmin® system.
If the user is both authenticated and authorized then the Identity Provider creates a SAML Assertion describing the user, for example their username, their email address and their surname. The Identity Provider then cryptographically signs this Assertion.
Finally the Identity Provider causes the user's browser to POST the assertion back to the Softadmin® system, which verifies the signature and then grants the user access.