When using other Edge Security Pack (ESP) authentication protocols in the LoadMaster, end users are presented with the standard Progress Kemp login form. This is not displayed by LoadMaster when using SAML because a login form is not provided by Progress Kemp. The LoadMaster instead redirects the client to a login form which is located at the IdP.

The LoadMaster implementation relies on protocol bindings for HTTP redirect which is used for redirections to a claims provider, alternatively known as an IdP. The LoadMaster also has a dependency on HTTP POST – the LoadMaster expects HTTP POST messages for IdP responses, where applicable.

The domain is fundamentally different to other types of SSO domain that are configurable on the LoadMaster because the LoadMaster does not interact directly with the authentication server (AD FS in this scenario). The LoadMaster redirects and informs the client to interact directly with AD FS so that the client can input the credentials that are required for authentication.

The URL provided in the original request from L7 is preserved. This URL is given precedence over the destination URL from the SAML response. For example, if a user logs in to a URL such as https://sharepoint.kemptest.com/personal/admin, they are directed to https://sharepoint.kemptest.com/personal/admin and not https://sharepoint.kemptest.com.

Here is a description of the flow:

  1. The client attempts to connect to the Virtual Service on the LoadMaster.
  2. The LoadMaster identifies that there is no cookie for the session. As this is a SAML-based domain – the authentication request is built.
  3. The client is informed to redirect to the IdP.
  4. The client sees the login form from the IdP federation server and enters their credentials. This interaction is between the client and the IdP. The credentials are passed between the client and the Federation Server.
  5. The IdP parses the SAML request and authenticates the user.
  6. The IdP generates the SAML response.
  7. The IdP returns the encoded SAML response to the browser in the URL.
  8. A POST request, including the SAML response is passed back to the Service Provider (the LoadMaster).
  9. The LoadMaster validates the contents of the SAML response and grants/denies access. Back-end KCD processing is performed at this point, if KCD is in use.

    Logging out results in another series of events:

  10. The user signs out.
  11. The client gets logged out of the LoadMaster and redirected to the IdP again to allow the user to log back in, if necessary.
  12. A logout response is passed from the IdP to the client.
  13. A logout response is passed from the client to the LoadMaster.
Note: This flow is known as SP-initiated authentication; IdP-initiated authentication is not supported.