Avi Load Balancer supports SAML 2.0 authentication for clients. It serves as a Service Provider (SP) to protect your load-balanced, back-end HTTP/HTTPS applications.

Avi Load Balancer supports SP-initiated SSO with third-party identity providers (IdP). As a service provider, the Avi Load Balancer virtual service is responsible for ensuring secure access to the back-end applications load-balanced by Avi Load Balancer.

As illustrated, the workflow for SAML client authentication is as follows:

1. The user attempts to access a protected resource on Avi Load Balancer that requires authentication.

2. Avi Load Balancer virtual service acting as a service provider, sends an authentication before allowing users to access the backend applications.

3. The request is redirected to the IdP's SSO Service.

4. The IdP's SSO service handles the authentication process. The SSO service verifies the credentials shared by the user. The IdP generates a response about the user and the authentication, and communicates it through an XHTML form.

5. The assertion is posted to the ACS.

6. Avi Load Balancer validates the response received from IdP and provides the session cookie to the user.

7. The user then sends the request for the target resource with the same cookie.

8. Avi Load Balancer validates the cookie and allows access to the user.