Google documentation has given a detailed overall process involved login to a hosted Google Application through a partner operated SAML_based SSO service. Just writing down main points got from this below.
Before everything has to take place, the Partner must provide Google with the SSO service URL as well as the public key Google should use to verify the SAML responses.
1. The user attempts to reach a hosted Google Application, such as gmail, start pages, or another Google service
2. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for partners SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This relayState parameter is meant to be opaque identifier that is passed back without any modification or inspection.
3. Google sends a redirect to the users browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partners SSO service.
4. The parter decodes the SAML request and extracts the URL for both the ACL (Assertion Consumer Service) and the users destination (RelayState parameter). The parterre then authenticate the user. Patterns could authenticate users by either asking for a valid login credentials or by checking for valid session cookies.
5. The Partner generates the SAML Response that contains the authenticated user’s user name. In accordance with the SAML 2.0 spec, the response is digitally singed with the partners public and private DSA/RSA keys.
6.The partner encodes the SAML response and RelayState parameter and returned that information to the users browser The Parter provides a mechanism so that the browser can forward that info to the Google’s ACS.
7. Google’s ACS verifies the SAML response using the parters public key. If the response is successfully verified, ACS redirects the user to the destination URL.
8. The user has been redirected to the destination URL and is logged in to the Google Apps.
References:
No comments:
Post a Comment