IAM Request Flow

A federated login (SAML / OIDC). Hover a message or actor for details.
sequenceDiagram autonumber actor User participant Browser as Browser / Client participant IdP as Identity Provider participant SP as Service Provider User->>Browser: Visit SP application URL Browser->>SP: GET protected resource, no session SP-->>Browser: 302 redirect to IdP plus auth request Browser->>IdP: Forward authentication request IdP->>User: Prompt for credentials plus MFA User-->>IdP: Password and MFA factor IdP-->>Browser: Signed identity token, redirect to SP Browser->>SP: Present identity token Note over SP: Verify signature, expiry, audience, then extract claims SP-->>Browser: Return the protected resource Note over IdP,SP: IdP authenticates. SP authorizes.
The token is the only thing the SP trusts about who the user is. Its signature proves the IdP issued it, its expiry limits the replay window, and its audience proves it was minted for this SP and not stolen from another. The IdP performs authentication (proving who you are); the SP performs authorization (deciding what you may do).

Back to Documentation