Multi-Provider SSO (SAML) IdP authentication flow
-
- UpdatedJan 30, 2025
- 2 minutes to read
- Yokohama
- Platform Security
Describes the different entities that can authenticate a user through the SAML multi-SSO.
You can follow the authentication flow to understand when an entity authenticates a user using
Multi-SSO.


- Local DB
- If Multi-SSO is not enabled, authentication directs to a local DB.
- SAML SSO Cookie IdP
- If a SAML SSO cookie exists, the IdP which is specified with this cookie authenticates the user.
- Auto-redirect IdP
- If the auto-redirect IdP is enabled, this IdP authenticates the user.
- Federated IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login screen, and the user exists in the user table with the IdP set in the SSO Source field as federation: xxx, then the federated IdP authenticates the user.
- Associated IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login screen, and the user exists in the user table with the IdP set in the SSO Source field as sso: xxx, then the associated IdP authenticates the user.
- Auto-provisioning IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user does not exist in the user table, but auto-provisioning is enabled, then
the auto-provisioning IdP authenticates the user. Note: If there is more than one auto-provisioning IdP enabled, the user can choose the auto-provisioning IdP they can use.
- Default IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user either:
- Does not exist in the user table, auto-provisioning is not enabled, and there is an active default IdP
- Exists in the user table, an IdP is not specified on the SSO source user or company record, and there is an active default IdP