THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
PlantUML | ||||
---|---|---|---|---|
| ||||
hide footbox@startuml autonumber footbox off participant "Browser" as cliB participant "WebUI\n(eg NN UI)" as ui #limeA participant "Knox\nTS/SSO" as sso #limeG participant "SAML _IdP\n(eg Shibboleth)" as idpE activate cli cli -> ui: /view.GET() B->A: GET(ui-origin-url) note right: User/browser makes request to UI without valid token activate ui cli <A A-- ui>B: redirect302(SSO:/login,redirect(knox-sso+ui-origin-url) note right: AuthFilter in UI detectesdetects no/invalid token redirects to\nKnoxSSO KnoxTS/SSO preserving ui-origin-url deactivate uiA cli -> ssoB->G: /login.GET(knox-sso+ui-origin-uilurl) note right: Browser follows redirect activate sso cli <G G-- sso>B: redirect302(IdP:/login,knox-origin-url) redirect(idp-login-ui) note right: KnoxTS/SSOKnoxSSO finds no/invalid token,\nredirects redirects to SAML IdP preserving knox-origin-url with encoded ui-origin-uri deactivate ssoG cli -> idpB->E: /login.GET(knoxidp-originlogin-urlui) note right: Browser follows redirect activate idp cli < E E-- idp>B: ok200(formok(idp-login-ui) note right: SAML IdP presents login form to user deactivate idpE cli -> idpB->E: /login.POST(username,passwordidp-login-ui,credentials) note right: User provides credentials to IdP via login form.\nSAML IdP validates credentials. activate idp cli <E E-- idp>B: redirect302redirect(knox-origin-urlsso,saml-bearer-tokenassertion) note right: IdP redirects back to knox-origin-url with SAML Bearer token in headers deactivate idp cli -> sso: /login.GET(saml-bearer-token) assertion\nin form POST deactivate E B->G: POST(knox-sso,saml-assertion) note right: KnoxTS/SSOKnoxSSO converts SAML Bearerassertion Token to a normalized JWT Bearer TokenKnoxSSO cookie\nand extracts ui-origin-url from knoxoriginal-origin-url cookie activate sso cli <G G-- sso>B: redirect302redirect(ui-origin-url,jwt-bearerknox-token-cookie) note right: KnoxTS/SSOKnoxSSO redirects client back to ui-origin-url with JWT Bearer token inKnoxSSO cookie deactivate ssoG cli -> uiB->A: /view.GET(jwt-bearerui-origin-url,knox-token-cookie) note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter in UI activate ui cli <- ui: ok200(response) A A->B: ok(ui-cookie) note right: Request processes and response returned to client. deactivate uiA deactivate cli@enduml |
Knox Picketlink Federation Provider
...