Using Single Sign-On with SAML and a Third-Party Identity Provider
The following high-level steps apply when My webMethods Server authenticates users that are not present in any of the available directory services, and are registered only with a trusted identity provider:
For Identity Provider Initiated SSO:
A user that is already authenticated with the IDP attempts to access a protected
My webMethods Server resource.
The IDP redirects the user with the authentication response to
My webMethods Server and sends a SAML response token as a POST parameter to
My webMethods Server using SAML POST binding.
My webMethods Server validates the SAML response based on the signature details in the SAML response. The signature on the assertion is validated using the public key of the identity provider available in the metadata file.
My webMethods Server processes the SAML response and verifies the user details present in the token before serving the requested content.
For Service Provider Initiated SSO:
A user that is registered with the IDP provider requests access to a protected
My webMethods Server resource.
My webMethods Server sends a SAML request for authentication through the browser to the SSO service of the IDP.
If the user is not logged on to the IDP, the IDP asks for credentials (for example ID and password) and the user logs on.
The SSO service returns an HTML form to the browser and includes the SAML response with the authentication assertion. The browser posts the HTML form back to
My webMethods Server to verify the user details and serve the content.