Configuration Guides › Federation Security Services Guide › Authenticate SAML 1.x Users at a Consumer › SAML 1.x Authentication Schemes › SAML 1.x POST Profile Authentication Scheme Overview

SAML 1.x POST Profile Authentication Scheme Overview

The following illustration shows how the SAML 1.x POST profile authentication scheme processes requests.

Note: The SPS federation gateway or the Web Agent Option Pack provide the SAML Credential Collector functionality.

Unless otherwise stated, the following process takes place at the consumer site:

1. A browser posts an HTML form to the SAML credential collector URL. This form contains a SAML response message and the address of the target URL, originally generated at the producer.
2. The SAML credential collector contacts the Policy Server to determine whether the target resource is protected.
3. The Policy Server replies that the SAML POST profile authentication scheme protects the target URL. A signed response from the POSTed form is the expected credential for the login call.
4. The SAML credential collector makes a login call to the Policy Server, passing the digitally signed SAML response as credentials.
5. The SAML POST profile authentication scheme verifies the signature and other fields of the response and the assertion.
6. If the checks succeed and the user is found in the directory, then authentication succeeds. If any of the checks fail, authentication fails.
7. The SAML credential collector creates an SMSESSION cookie, which it puts in the browser, and then redirects the user to the target resource. If the login fails, the credential collector redirects the user to the configured No Access URL.