THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
PlantUML | ||||
---|---|---|---|---|
| ||||
hide footbox autonumber participant "Browser" as cli participant "WebUI\n(eg NN UI)" as ui #chartreuse participant "Knox\nTS/SSO" as sso #chartreuse participant "SAML\nIdP" as idp activate cli cli -> ui: /view.GET() note right: User/browser make request to UI without valid token activate ui cli <-- ui: redirect302(SSO:/login) note right: AuthFilter in UI detectes no/invalid token redirects to Knox deactivate ui cli -> sso: /login.GET() note right: Browser follows redirect activate sso cli <-- ui: redirect302(IdP:/login) note right: Knox forwards request to SAML IdP including origin URLs deactivate sso cli -> idp: /login.GET() note right: Browser follows redirect activate idp cli <-- idp: ok200(form) note right: SAML IdP presents login form to user deactivate idp cli -> idp: /login.POST(username,password) note right: User provides credentials to IdP via login form activate idp cli <-- idp: redirect302(SSO:/login,saml-bearer-token,origin-url) note right: IdP redirects back to Knox with SAML Bearer token in headers deactivate idp cli -> sso: /login.GET(saml-bearer-token,origin-url) note right: Knox converts SAML Bearer Token to a normalized JWT Bearer Token activate sso cli <-- sso: redirect302(origin-url):jwt-bearer-token-cookie note right: Knox redirects client back to origin-url with JWT Bearer token in cookie deactivate sso cli -> ui: /view.GET(jwt-bearer-token-cookie) note right: ClientBrowser follows redirect to origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter activate ui cli <- ui: ok200(response) note right: Response returned to client. deactivate ui deactivate cli |
...