Describes the different entities that can authenticate a user through the SAML
multi-SSO.
You can follow the authentication flow to understand when an entity authenticates a user using
Multi-SSO.
- Local DB
- If Multi-SSO is not enabled, authentication directs to a local DB.
- SAML SSO Cookie IdP
- If a SAML SSO cookie exists, the IdP which is specified with this cookie authenticates the
user.
- Auto-redirect IdP
- If the auto-redirect IdP is enabled, this IdP authenticates the user.
- Federated IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user exists in the user table with the IdP set in the SSO
Source field as federation: xxx, then the federated IdP authenticates the
user.
- Associated IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user exists in the user table with the IdP set in the SSO
Source field as sso: xxx, then the associated IdP authenticates the user.
- Auto-provisioning IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user does not exist in the user table, but auto-provisioning is enabled, then
the auto-provisioning IdP authenticates the user.
Note: If there is more than one
auto-provisioning IdP enabled, the user can choose the auto-provisioning IdP they can
use.
- Default IdP
- If the user browser is redirected to the external authorization (login_locate_sso.do) login
screen, and the user either:
- Does not exist in the user table, auto-provisioning is not enabled, and there is an active
default IdP
- Exists in the user table, an IdP is not specified on the SSO source user or company
record, and there is an active default IdP
then the default IdP authenticates the user.
