Flow Diagrams

Note that it is strongly advisable to ensure that the base url "/", "/status" and "/metadata" endpoints are not publicly exposed. It is also important that your network settings allow connection to the https://api.mpin.io/.well-known/openid-configuration endpoint, as this is where the program attempts to get the platform configuration. It also needs outgoing access to https://api.mpin.io/authorize, https://api.mpin.io/oidc/certs and https://api.mpin.io/oidc/token.

When the IdP server is running, a RESTful HTTP JSON API server listens at the following endpoints:

/ GET returns a list of available endpoints as JSON
/status GET does a health check and returns the server status as JSON
/metadata GET Serves the SSO IDP SAML metadata. Can be used to download the metadata file for upload to SPs
/sso GET, POST SAML endpoint used by SPs to initiate the authentication flow
/auth/oidc/miracl GET Processes the callback from the OIDC provide (the endpoint is dynamic, see here)
/login/:id GET IdP-initiated login for a particular SP (identified by :id. For example /login/aws or login/dropbox)
/login/:id/*relaystate GET IdP-initiated login for a particular SP + RelayState
/logout GET Terminate the user’s SSO session
/services GET Serves the list of Service Providers the current user is authorized to access.

# Flow Diagrams

The following diagrams graphically illustrate the communication between:

  1. The MIRACL Trust SSO IdP server

  2. The Service Provider(s)

  3. The MIRACL Trust SSO authentication platform