The implementation of the Proxied Authentication Request interface supposes that your web application/service is able to verify local account credentials sent by IdP over HTTPS.
Particularly, your web application/service must be able to do the following:
For instance, the SP stores IDs and credentials of its accounts in a database. Additionally, the SP has a handler that retrieves HTTPS packets from IdP. Then, credentials verification via the interface is performed according to the following scheme:
Then the control is passed back to the SP which listens on its interfaces for packets from IdP.
The handler mentioned in the previous paragraph must fetch HTTPS POST packets coming to URL SP_API_BASE_URL
/users. This may require reconfiguration of the HTTP server which manages your web application/service.
Note: It is recommended to accept only packets that have a valid IdP certificate.
The source code that illustrates the interface implementation is stored in
For the step-by-step commented source code of
proxied_auth.php, refer to the Sample section.