Application management : Cloud : Cloud Configuration : Single Sign On : Using SAML : The Planon identity broker solution : The SSO flow
The SSO flow
A Single-Sign-On-enabled Planon Cloud environment consists of various components.
End user
Planon Cloud environment
Identity Broker solution
Customer Identity Provider (IdP)
The following image describes the connection between these various components in Planon Cloud:
Schematic overview of how a user's identity in the Cloud is established
The numbers in the diagram correspond with the steps below.
* 
In this process, the end user is a browser.
Only a few of these actions will result in something that an actual end user will see. These steps are marked with an * and a short explanation is given on what the end user could experience.
1. End users request a resource from the Planon Cloud The service provider performs a security check on behalf of the target resource. (If a valid security context at the Identity Broker (service provider) already exists, skip steps 2–9).
End user experience: enter the Planon URL in the browser or click on a link that points to the Planon Cloud.
2. Planon Cloud Environment responds with a redirect to the Identity Broker solution.
3. End user requests login Identity Broker solution*.
End user experience: If manual login is enabled (default for all non-prod environments), the user can log in with the initial Planon supervisor account (credentials can be obtained via the Environment management gadget), or the user can click on the link to be redirected to IDP (step 4). If SAML Identity Provider is default login method automatically redirect to IDP (step 4).
4. The Identity Broker responds with a redirect to the Identity Provider.
5. The end user requests login from the Identity Provider*.
End user experience: User views the login page or is automatically logged in to the Identity Provider, depending on the configuration at the customer.
6. After a successful login at the Identity Provider, the end user is redirected to the Identity Broker.
7. The end user visits the Identity Broker with a SAML post.
8. The Identity Broker responds with a redirect to the Planon Cloud.
9. Post configured attribute to Planon Cloud.
10. Planon Cloud checks if user session is valid at Identity Broker solution.
11. Identity Broker solution confirms, when the session is valid.
12. Only after the valid session confirmation, the user can access the requested resource.
End user experience: The user sees the requested resource at Planon Cloud. If the user name is unknown in the Planon Cloud Environment, an access failed message will be displayed.