Versions Compared

Old Version 58

changes.mady.by.user Larry McCay

Saved on

compared with

New Version Current

changes.mady.by.user Larry McCay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
PlantUML
border1
titleWeb UI SSO Flow (SAML)
hide footbox@startuml
autonumber
 footbox off
participant "Browser" as cliB
participant "WebUI\n(eg NN UI)" as ui #limeA
participant "Knox\nTS/SSO" as sso #limeG
participant "SAML _IdP\n(eg Shibboleth)" as idpE
 
activate cli
cli -> ui: /view.GET()
  
B->A: GET(ui-origin-url)
note right: User/browser makes request to UI without valid token
  activate ui
  cli <A
A-- ui>B: redirect302(SSO:/login,redirect(knox-sso+ui-origin-url)
  note right: AuthFilter in UI detectesdetects no/invalid token redirects to KnoxTS/SSO\nKnoxSSO preserving ui-origin-url
  deactivate uiA
cli -> ssoB->G: /login.GET(knox-sso+ui-origin-uilurl)
  note right: Browser follows redirect
  activate sso
  cli <G
G-- sso>B: redirect302(IdP:/login,knox-origin-url)
  redirect(idp-login-ui)
note right: KnoxTS/SSOKnoxSSO finds no/invalid token,\nredirects redirects to SAML IdP preserving knox-origin-url with encoded ui-origin-uri
  deactivate ssoG
cli -> idpB->E: /login.GET(knox-origin-url)
  POST(idp-login-ui)
note right: Browser follows redirect
  activate idp
  cli < E
E-- idp>B: ok200(formok(idp-login-ui)
  note right: SAML IdP presents login form to user
  deactivate idpE
cli -> idpB->E: /login.POST(username,passwordidp-login-ui,credentials)
note right: User provides credentials to IdP via login form.\nSAML IdP validates credentials.
  activate idp
  cli <E
E-- idp>B: redirect302redirect(knox-origin-urlsso,saml-bearer-tokenassertion)
  note right: IdP redirects back to knox-origin-url with SAML Bearer token in headers
  deactivate idp
cli -> sso: /login.GET(saml-bearer-token)
  assertion\nin form POST
deactivate E
B->G: POST(knox-sso,saml-assertion)
note right: KnoxTS/SSOKnoxSSO converts SAML Bearerassertion Token to a normalized JWT Bearer TokenKnoxSSO cookie\nand extracts ui-origin-url from knoxoriginal-origin-url cookie
  activate sso
  cli <G
G-- sso>B: redirect302redirect(ui-origin-url,jwt-bearerknox-token-cookie)
  note right: KnoxTS/SSOKnoxSSO redirects client back to ui-origin-url with JWT Bearer token inKnoxSSO cookie
  deactivate ssoG
cli -> uiB->A: /view.GET(jwt-bearerui-origin-url,knox-token-cookie)
note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter in UI
  activate ui
  cli <- ui: ok200(response)
  A
A->B: ok(ui-cookie)
note right: Request processes and response returned to client.
  deactivate uiA
deactivate cli@enduml
 

Knox Picketlink Federation Provider

...