- the user goes to a RAP client application and click on the login button;
- the client application sends a POST request to RAP, specifying the callback URL;
- the user selects the authentication method he or she prefers or join identities;
- the user inserts the credentials or uses a certificate;
- login data (SAML response, X.509 parsed data or OAuth2 access token) returns to RAP;
- RAP checks if the user information is already stored into the database, otherwise the user is registered and a new user ID is assigned to he/she;
- a temporary token associated to the user ID is stored into the database;
- RAP redirects to the callback URL adding the token as a query parameter;
- the client application receives the token and use it to retrieve user information from the RAP web service;
- the token is deleted; unused tokens are deleted in a few minutes in any case;
OAuth2 login
SAML login
X.509 login
