A simple SAML application built with opensaml and pac4j to understand the SAML webflow.
An example SAML authentication webflow:
There are three parties involved in the authentication: the user's browser, the Service Provider (SP) - saml-example in this example, and the Identity Provider (IDP). The IDP can be any SAML 2.0 identity provider.
The negotiation looks like this:
First, note that the SP and IDP never directly interact. All the requests go from browser to SP or browser to IDP.
Request 1 is to a secure resource on the SP. The SP doesn't have an authenticated session for the browser, so it returns a special "SAML Login 1" response. This is generated by pac4j and opensaml in saml-example. The response is a form that auto-submits itself (request 2) to the IDP. The form includes a SAMLRequest parameter that encodes it's identity.
The IDP determines the user is not yet authenticated, and presents a login form where the user enters their IDP creds (requests 3 and 4).
The response to the successful login is another auto-submitting form, this time with a SAMLResponse parameter. This is auto-sumbitted to the SP callback URL.
When the form is submitted the SP decodes the SAMLResponse and gets the user credentials and profile. Done!
See README-keycloak.md for using this example with Keycloak