Versions Compared

Old Version 41

changes.mady.by.user Kevin Minder

Saved on

compared with

New Version 42

changes.mady.by.user Kevin Minder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
PlantUML
border1
titleWeb UI SSO Flow (SAML)
hide footbox
autonumber
 
participant "Browser" as cli
participant "WebUI\n(eg NN UI)" as ui #lime
participant "Knox\nTS/SSO" as sso #lime
participant "SAML IdP\n(eg Shibboleth)" as idp
 
activate cli
cli -> ui: /view.GET()
note right: User/browser makes request to UI without valid token\nAuthFilter in UI detectes no/invalid token redirects to KnoxTS/SSO preserving ui-origin-url
  activate ui
  cli <-- ui: redirect302(SSO:/login,ui-origin-url)
  'note right: AuthFilter in UI detectes no/invalid token redirects to KnoxTS/SSO preserving ui-origin-url
  deactivate ui
cli -> sso: /login.GET(ui-origin-uil)
  note right: Browser follows redirect\nKnoxTS/SSO finds no/invalid token,\nredirects to SAML IdP preserving knox-origin-url with encoded ui-origin-uri
  activate sso
  cli <-- sso: redirect302(IdP:/login,knox-origin-url)
  'note right: KnoxTS/SSO finds no/invalid token,\nredirects to SAML IdP preserving knox-origin-url with encoded ui-origin-uri
  deactivate sso
cli -> idp: /login.GET(knox-origin-url)
  note right: Browser follows redirect\nSAML IdP presents login form to user
  activate idp
  cli <-- idp: ok200(form)
  'note right: SAML IdP presents login form to user
  deactivate idp
cli -> idp: /login.POST(username,password)
note right: User provides credentials to IdP via login form.\nSAML IdP validates credentials.\nIdP redirects back to knox-origin-url with SAML Bearer token in headers
  activate idp
  cli <-- idp: redirect302(knox-origin-url,saml-bearer-token)
  'note right: IdP redirects back to knox-origin-url with SAML Bearer token in headers
  deactivate idp
cli -> sso: /login.GET(saml-bearer-token)
  note right: Knox converts SAML Bearer Token to a normalized JWT Bearer Token\nand extracts ui-origin-url from knox-origin-url\nKnox redirects client back to ui-origin-url with JWT Bearer token in cookie
  activate sso
  cli <-- sso: redirect302(ui-origin-url,jwt-bearer-token-cookie)
  'note right: Knox redirects client back to ui-origin-url with JWT Bearer token in cookie
  deactivate sso
cli -> ui: /view.GET(jwt-bearer-token-cookie)
note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter in UI\nRequest processes and response returned to client.
  activate ui
  cli <- ui: ok200(response)
  'note right: Request processes and response returned to client.
  deactivate ui
deactivate cli
 

...