Supported SAML authentication scenarios

SDL Tridion Sites supports multiple IdP-initiated scenarios, and a single SP-initiated scenario.

IdP-initiated scenario

In this scenario, the SDL Tridion Sites user must already be logged in to the identity provider before authentication starts. The IdP is an independent separate resource, which knows the user's credentials and can authenticate, and provide information about, the user. Typically, the IdP shows a user a list of applications available to the user, called, for example, the application gallery or the user vault, which includes SDL Tridion Sites. (Another possibility, depending on your specific IdP) is that you access your application directly from a URL, without having to explicitly select it.) By selecting SDL Tridion Sites, the user can access the application.

This scenario supports the use of multiple IdPs.

SP-initiated scenario

In this scenario, the service provider (in the case of SDL Tridion Sites, part of the Web application running in IIS) redirects users trying to access SDL Tridion Sites to the IdP so that they can log in. The user is then redirected back to SDL Tridion Sites, which picks up its claims and authorizes the user.

This scenario supports the use of one IdP, because the service provider can only redirect to one IdP. If multiple IdPs are configured, SDL Tridion Sites selects the first one it encounters in the configuration.