Naga nagarajureddepalli44
A lot of things can differ based on the different parameters,
- Architectural Model (WA-WAOP or CA AG).
- IdP Initiated OR SP Initiated (with SAML REQUEST w / wo RelayState).
- HTTP POST or HTTP Artifact Binding.
- Signing / Verification.
- Encryption / Decryption (with levels).
Thus if you have a specific configuration / flow in mind that would better to speak about.
However the best way to learn is being proactive and doing some self investigation; thereafter seeking pointed / specific questions. Here is what I'd do.
- Configure a simple working SAML flow.
- Use a tool like fiddler to see what redirects and cookies are getting generated.
- Enable Tracing on WAOP (FWSTrace.log) and Policy Server (smtracedefault.log - make sure FED TXN is enabled in tracing). Map the browser txns with FWSTrace.log and smtracedefault.log.
- Configure additional tweaks / configurations over basic / simple working SAML flow. Repeat above two steps.
For your ease, In general words here is the most common generic things that occurs enroute.....
- Once a SAML RESPONSE is received at SP end, it'd be BASE64 encoded. The first thing would be to BASE64 decode the SAML RESPONSE to expose the XML document.
- Once the XML Document is retrieved typically we would check if the IdP ID matches a configuration on SP end. We need to know against which partnership should this SAML RESPONSE be mapped.
- Once the validity of IdP ID is ascertained, then the most common generic thing that happens is decryption of the Assertion.
- Once the Assertion is decrypted then the most common generic thing is Signature Validation.
- Once all above 3 are successfully completed, the disambiguation process kicks in. In most cases read the username from NameID and search for that value in User Directory.
- If user is found then an disambiguation succeeds. But hold on, we also check if the Assertion is within the Validity Duration and in many cases if it is within the OneTime clause. If all of these PASS, then Authentication success if fired.
- SMSession is generated (WAOP code set the SMSESSION Cookie in this case).
- Thereafter a request is redirect to the TARGET URL / APP defined within the partnership.
As I mentioned this is very high level, based on your configurations, many things will get added into this.
What Cookies are created.
- SMSESSION for sure on successful Authentication.
- Depending on your flow / configurations other cookies like
Regards
Hubert