THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
PlantUML | ||||
---|---|---|---|---|
| ||||
hide footbox autonumber participant "Browser" as cli participant "WebUI\n(eg NN UI)" as ui #chartreuse participant "Knox\nTS/SSO" as sso #chartreuse participant "SAML\nIdP" as idp activate cli cli -> ui: /view.GET() note right: User/browser makes request to UI without valid token activate ui cli <--> ui: redirect302(SSO:/login,ui-origin-url)/view.GET() activate ui note right: AuthFilter in UI detectes no/invalid token redirects to KnoxTS/SSO preserving ui-origin-url deactivate ui cli <->- ssoui: redirect302(SSO:/login.GET(,ui-origin-url) deactivate ui note right: Browser follows redirect. Knox find no/invalid token,\nredirects to IdP preserving ui-origin-url and ts-origin-url cli -> sso: /login.GET() activate sso cli <-- ui: redirect302(IdP:/login,ui-origin-url,ts-origin-url) note right: Knox forwards request to SAML IdP preserving origin URLs deactivate sso cli -> idp: /login.GET() note right: "Browser follows redirect activate idp " cli <--> idp: ok200/login.GET(form) activate idp note right: "SAML IdP presents login form to user" deactivate idp cli <->- idp: /login.POST(username,passwordok200(form) deactivate idp note right: User provides credentials to IdP via login form activate idp cli <--> idp: redirect302(SSO:/login,saml-bearer-token,ts-origin-url).POST(username,password) activate idp note right: IdP redirects back to Knox with SAML Bearer token in headers deactivate idp cli <--> ssoidp: redirect302(SSO:/login.GET(,saml-bearer-token,uits-origin-url) deactivate idp note right: Knox converts SAML Bearer Token to a normalized JWT Bearer Token activate sso cli <--> sso: redirect302(/login.GET(saml-bearer-token,ui-origin-url):jwt-bearer-token-cookie activate sso note right: Knox redirects client back to ui-origin-url with JWT Bearer token in cookie deactivate sso cli <->- uisso: /view.GET(redirect302(ui-origin-url):jwt-bearer-token-cookie) deactivate sso note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter activate ui cli <-> ui: ok200(response)/view.GET(jwt-bearer-token-cookie) activate ui note right: Response returned to client. cli <- ui: ok200(response) deactivate ui deactivate cli |
PlantUML | ||||
---|---|---|---|---|
| ||||
hide footbox autonumber participant "Browser" as cli participant "WebUI\n(eg NN UI)" as ui participant "Knox\nTS/SSO" as sso participant "SAML\nIdP" as idp activate cli cli -> ui: page.GET() activate ui cli <-- ui: redirect(IDP.login) deactivate ui cli -> idp: login.GET() activate idp cli <-- idp: form deactivate idp cli -> idp: form.POST(username,password) activate idp cli <-- idp: redirect(SSO.translate):saml-bearer-token deactivate idp cli -> sso: translate.GET(saml-bearer-token) activate sso cli <-- sso: redirect(WebUI.page):jwt-bearer-token-cookie deactivate sso cli -> ui: page.GET(jwt-bearer-token-cookie) activate ui cli <- ui: response deactivate ui deactivate cli |
...