SSO message flows

The following diagram shows a simplified message flow for SSO using SAML:

The following sections describe the message flows between API Manager (acting as the SP) and the IdP.

Authentication sequence

When API Manager is configured for SSO, the following events occur during authentication between API Manager and the IdP:

  1. The end user tries to access the API Manager UI using a web browser:
    • For non-SSO login, access the API Manager on the default URL (for example, https://FQDN:8075).
    • For SSO login, access the API Manager on the SSO URL (for example, https://FQDN:8075/api/portal/v1.3/sso/login/).
Note   The SSO login URL must be used even if the user has already logged in using SSO (for example, if they have already logged in to API Portal or Decision Insight).
  1. API Manager builds a SAML Authentication Request message and sends it to the IdP.
  2. The IdP receives the request and checks if there is an active session for the user.
  3. If no session for this user exists on the IdP, the user is prompted to enter their credentials.
  4. The IdP analyzes the credentials and sends a SAML Response message, asserting that the user is authenticated.
  5. API Manager maps the user's IdP role to an API Manager-specific role. For more information, see Mapping syntax.
  6. The user is presented with the appropriate view of API Manager, depending on their role.

Logout sequence

The logout sequence is as follows when logout is initiated by API Manager:

  1. The end user tries to log out of API Manager by clicking the Logout button in the UI.
  2. API Manager recognizes that the user has an active session, so it generates a SAML Logout Request message and sends it to the IdP.
  3. The IdP removes the user session and returns a SAML Logout Response to the browser.
  4. The browser posts the HTML form containing the SAML Logout Response to the API Manager single logout service URI.
  5. API Manager removes the user session and redirects to the logout redirect URI.

Related Links