Single sign-on workflow

Before an application can start, the SSO delegate process passes through various stages of communication with the identity provider (IdP) to authenticate the user.

Figure: SSO workflow to start the application

The diagram shows the communication flow from the user agent to the IdP via the SSO delegate service to the start of the application. The steps are detailed in the text.
The diagram represents the process of starting an application performing SSO with the GAS. The workflow is illustrated at a high level showing the components involved. The communication paths that are numbered (1 to 7) are explained as follows:
  1. User agent requests the start of an application of the form /ua/r.
  2. The SSO delegate service redirects the user agent to the IdP defined in the configuration file (xcf).
  3. The IdP queries the user agent directly for user login and password.
    Note: Step 3 may not happen if the IdP recognizes an user already registered in a previous SSO login session
  4. If the login is ok, depending on the protocol, the IdP may create SSO tokens in its local database and then redirect the user agent to the SSO delegate service callback URL (previously registered).
  5. On the incoming /callback URL, the delegate service requests the token directly from the IdP and checks its signature validity via the IdP's public key.
  6. If the token is valid, the delegate service sets a temporary cookie for the initial /ua/r application URL and redirects the user agent to that URL.
  7. If the temporary cookie is valid, the ua/r application is started on behalf of the authenticated user.
Note: Once the application has started, it may receive an access token to query some REST services that the authenticated users has access to.