SAML Flows

When talking about SAML flows, Curity considers the protocol through which ultimately an assertion is transmitted to the SAML Service Provider. The SAML Web Browser SSO profile defines different mechanisms (bindings) to transfer messages between the SAML Identity Provider and the SAML Service Provider. The Curity Identity Server SAML IDP Service supports the following bindings:

Request Bindings:

  • HTTP Redirect Binding: The SAML Service Provider can send a SAML authentication request to the SAML IDP Service using an HTTP redirect.
  • HTTP POST Binding: The SAML Service Provider can send a SAML authentication request to the SAML IDP Service using an HTTP POST.

Response Bindings:

  • HTTP Redirect Binding: The SAML IDP Service can send a SAML response to the SAML Service Provider using an HTTP redirect.
  • HTTP POST Binding: The SAML IDP Service can send a SAML response to the SAML Service Provider using an HTTP POST.

Note that the Web Browser SSO profile also defines the Artifact Binding; this is not supported by the SAML IDP Service in this version of the Curity Identity Server.

As these flows operate completely inside the web browser, there is no client authentication involved, and SAML messages (including the Response message that contains an Assertion) are sent through the browser.

On the profile it is possible to define which request and response bindings are supported. The SAML IDP Service will then only accept requests that use the defined request bindings, and will only send responses using the defined response bindings. Each Service Provider defines the allowed Assertion Consumer Services, which are the endpoints together with a binding that the SAML IDP Service can use to send a response to the Service Provider. The SAML IDP Service will only send responses to these endpoints.