...
The following describes what login looks like when a user logs into their Chemwatch account via SSO:
...
Service provider redirects call for authentication to Identity Provider (Federation Service). Federation server does not receive any information from Chemwatch. This is just a redirect.
User authenticates into Identity Provider (IDP) with generic login and password. It happens outside of Chemwatch system completely.
IDP redirects call back to Chemwatch with a message containing user name, Assertion of user login, and security token to be used for future calls to IDP. Chemwatch only knows SSO users by login names. No additional information is ever sent back by IDP.
Chemwatch authenticates user only if successfully validated by the IDP. Chemwatch can be configured to enable self-registration and assign a default role for self-registered users. This removes the need to import users before SSO is enabled on an account. It happens automatically on a new user login.
The token will stay valid for a specific time, as configured per the IDP.
If token is invalidated, the user will need to authenticate with the IDP anew.
...