alfresco-community-repo/docs/identity-provider/identity/resource/sequence/saml-is-flow.puml

@startuml

Title: Interaction between Identity Service and SAML

participant "SAML IdP" as S
participant "Identity Service" as IS
participant "Browser" as B
participant "Repository" as R

== flow without SAML ==

B->R: HTTP GET /something
activate B
activate R
note right of R
sees no authorization
header
end note
R->B: redirect
deactivate R
B->IS: authenticate
activate IS
B<-IS: login form
note right of B
user enters
userid and
password
end note
B->IS: credentials
IS->IS: check credentials
IS->B: redirect w/token
deactivate IS
B->R: HTTP GET /something (with token)
activate R
note right of R
sees token in
authorization header
end note
R->IS: validate token
activate IS
IS->R: OK
deactivate IS
R->R: extracts userid from token
R->R: checks authorization of\nuser to something
R->B: something
deactivate R
deactivate B

== flow with SAML ==
B->R: HTTP GET /something
activate B
activate R
note right of R
sees no authorization
header
end note
R->B: redirect
deactivate R
B->IS: authenticate
activate IS
IS->S: get assertion
deactivate IS
activate S
S->B: login form
deactivate S
note right of B
user enters
userid and
password
end note
S<-B: credentials
activate S
S<->S: check credentials
S->S: generate assertion
S->B: assertion w/redirect
deactivate S
B->IS:get token
activate IS
IS->IS: extract user from assertion
IS->IS: generate token
IS->B: redirect w/token
deactivate IS
B->R: HTTP GET /something (with token)
activate R
note right of R
sees token in
authorization header
end note
R->IS: validate token
IS->R: OK
R->R: extracts userid from token
R->R: checks authorization of\nuser to something
R->B: something
deactivate R
deactivate B

@enduml