Versions Compared

Old Version 25

changes.mady.by.user Kevin Minder

Saved on

compared with

New Version 26

changes.mady.by.user Kevin Minder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
PlantUML
border1
titleWeb UI SSO Flow (SAML)
hide footbox
autonumber

participant "Browser" as cli
participant "WebUI\n(eg NN UI)" as ui #chartreuse
participant "Knox\nTS/SSO" as sso #chartreuse
participant "SAML\nIdP" as idp
 
activate cli
cli -> ui: /view.GET()
  note right: User/browser makes request to UI without valid token
  activate ui
  cli <--> ui: redirect302(SSO:/login,ui-origin-url)/view.GET()
  activate ui
  note right: AuthFilter in UI detectes no/invalid token redirects to KnoxTS/SSO preserving ui-origin-url
  deactivate ui
cli <->- ssoui: redirect302(SSO:/login.GET(,ui-origin-url)
  deactivate ui

note right: Browser follows redirect. Knox find no/invalid token,\nredirects to IdP preserving ui-origin-url and ts-origin-url 
cli -> sso: /login.GET()
  activate sso
  cli <-- ui: redirect302(IdP:/login,ui-origin-url,ts-origin-url)
  note right: Knox forwards request to SAML IdP preserving origin URLs
  deactivate sso
cli -> idp: /login.GET()
  note right: "Browser follows redirect
  activate idp
  "
cli <--> idp: ok200/login.GET(form)
  activate idp
  note right: "SAML IdP presents login form to user"
  deactivate idp
cli <->- idp: /login.POST(username,passwordok200(form)
  deactivate idp

note right: User provides credentials to IdP via login form
  activate idp
  cli <--> idp: redirect302(SSO:/login,saml-bearer-token,ts-origin-url).POST(username,password)
  activate idp
  note right: IdP redirects back to Knox with SAML Bearer token in headers
  deactivate idp
cli <--> ssoidp: redirect302(SSO:/login.GET(,saml-bearer-token,uits-origin-url)
  deactivate idp

note right: Knox converts SAML Bearer Token to a normalized JWT Bearer Token
  activate sso
  cli <--> sso: redirect302(/login.GET(saml-bearer-token,ui-origin-url):jwt-bearer-token-cookie
  activate sso
  note right: Knox redirects client back to ui-origin-url with JWT Bearer token in cookie
  deactivate sso
cli <->- uisso: /view.GET(redirect302(ui-origin-url):jwt-bearer-token-cookie)
  deactivate sso

note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter
  activate ui
  cli <-> ui: ok200(response)/view.GET(jwt-bearer-token-cookie)
  activate ui
  note right: Response returned to client.
  cli <- ui: ok200(response)
  deactivate ui

deactivate cli
 

 

 

PlantUML
border1
titleWeb UI SSO Flow (SAML)
hide footbox
autonumber

participant "Browser" as cli
participant "WebUI\n(eg NN UI)" as ui
participant "Knox\nTS/SSO" as sso
participant "SAML\nIdP" as idp
 
activate cli
cli -> ui: page.GET()
  activate ui
  cli <-- ui: redirect(IDP.login)
  deactivate ui
cli -> idp: login.GET()
  activate idp
  cli <-- idp: form
  deactivate idp
cli -> idp: form.POST(username,password)
  activate idp
  cli <-- idp: redirect(SSO.translate):saml-bearer-token
  deactivate idp
cli -> sso: translate.GET(saml-bearer-token)
  activate sso
  cli <-- sso: redirect(WebUI.page):jwt-bearer-token-cookie
  deactivate sso
cli -> ui: page.GET(jwt-bearer-token-cookie)
  activate ui
  cli <- ui: response
  deactivate ui
deactivate cli

...