SAML Protocol for the REST API

All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.

For information about supported identity providers and the configuration procedure, see Configure the SAML Identity Provider

When a User navigates to the REST API, CSM redirects the User agent to the single sign-on service at the User's identity provider where the User enters his credentials. The User's identity is authenticated by the identity provider. If the authentication is successful, the identity provider returns a SAML assertion to CSM. The assertion indicates that a trusted identity provider successfully authenticated the User so that CSM can proceed to grant access to the REST API. CSM parses the assertion and returns the assertion data to the User agent. The User agent uses the assertion data to make a request to the token operation, and passes data in the request body as shown:

If the request is successful, CSM returns an access token to the User agent. The access token allows the User agent to access the REST API as long as the token remains valid. The following diagram shows the basic SAML message flow:

                                saml/login.cshtml?finalUri=http://localhost/SamlSampleBrowserApp/default.aspx?testQueryParameter=myValueForMySystem
                            

                                <html><body onload='document.forms[""samlResult""].submit()'><form name='samlResult' action='{finalUri}' method='post'><input type='hidden' name='userId' value='{nameId}'><input type='hidden' name='nameQualifier' value='{nameQualifier}'><input type='hidden' name='ticket' value='{ticket}'><input type='hidden' name='result' value='ok'><input type='hidden' name='statusCode' value='{statusCode}'><input type='hidden' name='statusMessage' value='{statusMessage}'></form></body></html>