Login Workflow

This is a simplified description of how the IdP account interacts with the CDO user record to log in a CDO user:

Procedure

Step 1	The user requests access to CDO by logging in to a SAML 2.0-compliant identity provider (IdP) such as Cisco Security Cloud Sign On (https://sign-on.security.cisco.com) for authentication.
Step 2	The IdP issues a SAML assertion that the user is authentic and a portal displays the applications the user can access such as tiles representing https://defenseorchestrator.com or https://defenseorchestrator.eu or https://www.apj.cdo.cisco.com/.
Step 3	CDO validates the SAML assertion, extracts the username and attempts to find a user record among its tenants that corresponding to that username. If the user has a user record on a single tenant on CDO, CDO grants the user access to the tenant and the user's role determines the actions they can take. If the user has a user record on more than one tenant, CDO presents the authenticated user with a list of tenants they can choose from. The user picks a tenant and is allowed to access the tenant. The user's role on that specific tenant determines the actions they can take. If CDO does not have a mapping for the authenticated user to a user record on a tenant, CDO displays a landing page giving users the opportunity to learn more about CDO or request a free trial. Creating a user record in CDO does not create an account in the IdP and creating an account in the IdP does not create a user record in CDO. Similarly, deleting an account on the IdP does not mean you have deleted the user record from CDO; although, without the IdP account, there is no way to authenticate a user to CDO. Deleting the CDO user record does not mean you have deleted the IdP account; although, without the CDO user record, there will be no way for an authenticated user to access a CDO tenant.