An SSO system comprises multiple SPs and a single IdP. The role of each SP is to provide SSO access to its resources. For this purpose, each SP shares a part of its functionality with IdP. The IdP role is to organize SSO to resources of SPs. It controls all SSO-related data flows between participants of an SSO system.
To be a part of an SSO system, SPs and IdP must be able to perform functions appropriate to their roles. For details on the functions, refer to the Functions of SSO system Participants section.
As it was previously mentioned, participants of an SSO system exchange SSO-related data by means of IdP. This communication can be divided into three separate data flows. The first is related to users authentication, the second - to FI management, and the third - to single logout. The models describing the data flows are given, correspondingly, in sections How SSO Works, FI Management Operations and What Single Logout Is and How It Is Achieved.
To exchange SSO-related data with IdP, SP must utilize specific programming interfaces. For details on what interfaces must be provided and consumed by each SP, refer to the Integrating Into SSO system chapter.