Web Single Sign-On
Sabre provides web based Single Sign-On mechanism between SR360/Sabre Red Web and 3rd party Service Providers.
SSO authentication flow
There are two types of SSO authentication flow:
Service Provider initiated
Identity Provider initiated
Sabre SSO supports authentication flow initialized by the Identity Provider (which in this case is Sabre).
High level flow overwiew
The high-level SSO authentication flow looks like this:
The browser initiates the flow by opening the URL which was created as a result of SSO configuration.
Identity Provider performs user authentication. This step is performed only when necessary.
Identity Provider returns a self-submitting form containing a SAML assertion.
In the browser, the form is submitted and the assertion is being posted to the Service Provider URL specified during SSO configuration.
The Service Provider validates the SAML assertion and creates a security context in case of successful validation.
The client has access to protected resources.
Information about available ways to validate SAML assertions can be found here.
See the com.sabre.redapp.example3.web.sso sample for implementation.