The implementation of the Authentication Request protocol supposes that your web application/service is able to send, receive and process specific SAML messages.
Particularly, your web application/service must be able to do the following:
The code that implements this protocol must include a requests handler and a SAML engine. The handler processes all requests for SP resources and checks if a local session is opened for a user. The SAML engine sends SAML packets to IdP, receives the responses, processes them, and transfers the processing results to SP logic.
The handler and SAML engine must interact according to the following scheme:
For details on what SP must do next, refer to the How SSO Works section.
The handler mentioned in the previous paragraph must fetch all requests for SP resources. All SAML messages issued by the SAML engine must be sent to
IDP_API_BASE_URL stands for the URL to all IdP interfaces. This may require reconfiguration of the HTTP server which manages your web application/service.
IDP_API_BASE_URL value is stored in IdP settings (parameter
api_url) stored at SP side. For details on what IdP settings are stored at SP side, refer to the IdP Interfaces>Back Channel Interfaces>Configuration of SP in IdP>Registering SP in IdP section of the Specification.
All SAML messages from IdP (in response to SP's messages) are sent to the URL defined in the
Destination parameter of a request SAML message.
Only two types SAML messages can be sent to the endpoints: <AuthnRequest> and <Response>. The messages structure is regulated by the SAML Specification (sections 3.4.1 Element <AuthnRequest> and 3.3.3 Element <Response>). For details on the messages structure, refer to the SAML Messages Structure section.
The source code that illustrates the protocol implementation is in
For details on correspondence between the scenario steps and
auth.php code fragments, refer to the Sample section.