Using Single Sign-On with SAML and a Third-Party Identity Provider

The following high-level steps apply when My webMethods Server authenticates users that are not present in any of the available directory services, and are registered only with a trusted identity provider:

For Identity Provider Initiated SSO:

A user that is already authenticated with the IDP attempts to access a protected My webMethods Server resource.

The IDP redirects the user with the authentication response to My webMethods Server and sends a SAML response token as a POST parameter to My webMethods Server using SAML POST binding.

My webMethods Server validates the SAML response based on the signature details in the SAML response. The signature on the assertion is validated using the public key of the identity provider available in the metadata file.

My webMethods Server processes the SAML response and verifies the user details present in the token before serving the requested content.

For more information about configuring IDP initiated SSO, see Configuring Identity Provider Initiated Single Sign-On with a Third-Party Identity Provider.

For Service Provider Initiated SSO:

A user that is registered with the IDP provider requests access to a protected My webMethods Server resource.

My webMethods Server sends a SAML request for authentication through the browser to the SSO service of the IDP.

If the user is not logged on to the IDP, the IDP asks for credentials (for example ID and password) and the user logs on.

The SSO service returns an HTML form to the browser and includes the SAML response with the authentication assertion. The browser posts the HTML form back to My webMethods Server to verify the user details and serve the content.

For more information about configuring SP initiated SSO, see Configuring Service Provider Initiated Single Sign-On with a Third-Party Identity Provider.