SyferLock 2018 DocumentationIntegrationsSAML IntegrationsGridGuard™ SAML IntegrationService Provider vs Identity Provider initiated Authentication

Service Provider vs Identity Provider initiated Authentication

GridGuard supports both Service Provider (SP) initiated authentication and Identity Provider (IdP) initiated authentication.

The choice of which mechanism to use for a particular integration is dictated by the type of integration the SP supports. Some service providers support only one or the other of the two mechanisms. If that is the case, then the choice is dependent on the type of authentication supported by the SP. If the SP supports both methods, the SP initiated method is usually preferred for usability reasons.

As far as GridGuard is concerned, there is no difference in configuration whether the authentication is SP or IdP initiated. The only difference is in the initial URL that is accessed

How SP Initiated Authentication Works

How SP Initiated Authentication Works

The numbered steps in the sequence diagram shown above are explained below:

  1. User accesses the SP login page
  2. User redirected to GridGuard login page with SAML Authentication Request (AuthN Request)
  3. User accesses the GridGuard login page
  4. User authenticated by the GridGuard system based on a combination of user name, user registry, password, GridPIN, & GridCode as the case may be.
  5. Once authentication is completed, the result of the authentication is sent back the user in the identity assertion response. User redirected to the Assertion Consumer Service (ACS) URL
  6. User accesses the ACS URL with the identity assertion (successful or failed authentication)
  7. If the user was successfully authenticated, the user is granted access to the system; if not, the user is denied access

How IdP initiated Authentication Works

How IdP initiated Authentication Works

The numbered steps in the sequence diagram shown above are explained below:

  1. User accesses the IdP login page
  2. User authenticated by the GridGuard system based on a combination of user name, user registry, password, GridPIN, & GridCode as the case may be.
  3. Once authentication is completed, the result of the authentication is sent back the user in the identity assertion response. User redirected to the Assertion Consumer Service (ACS) URL
  4. User accesses the ACS URL with the identity assertion (successful or failed authentication)
  5. If the user was successfully authenticated, the user is granted access to the system; if not, the user is denied access