Create sequence diagrams with simple online tool is a free webapp for making sequence diagrams. You simply edit the text on the left and the diagram is updated in real time. You can download your sequence diagrams as images or distribute with a link.

Title: Auth Proposal Note App, LoginApp: If the app cannot find credentials the following flow is triggered group: Login within secured in-app browser App -> Apigee: /authorize Note:Request includes: - redirect_uri: custom URI to redirect control to mobile app after authorization is granted - state: will be returned in redirect_uri - client_id: Oauth2 Application client_id provided by Apigee Apigee -> Apigee: Client Validation Note: replaces the client_id with client_code (internal partner identifier) Apigee -> SAML-SP: proxy forward SAML-SP -> SAML-SP: Resolve Idp Note: Create session and store the sate, client_id and redirect_uri group: _**SAML 2.0 Flow**_ SAML-SP -> App: XHTML form with Auth Request (SAML flow between SAML-SP and SAML-Idp) App -> SAML-Idp: HTTPS Post/redirect SAML-Idp -> SAML-Idp: validate Auth Request SAML-Idp <<-->> App: user logs in (if necessary) SAML-Idp -> SAML-Idp: SAML token generated SAML-Idp -> App: XHTML form with Auth Response App -> SAML-SP: HTTPS Post SAML-SP -> SAML-SP: validate, persist Auth Response end SAML-SP -> SAML-SP: Genreate auth-code Note: Generates a short lived token. link's it with account provided by SAML auth. This token or auth-code valid only for 60sec SAML-SP -> App: Redirect to Apigee with short lived token App -> App: capture and close Note All: Capures the short lived token and close the secured in-app browser. end group: Get tokens Note: App receives token and uses to get a longer validity access_token/refresh_token pair App -> Apigee: POST /token Note: grant_type=authorization_code is used in request. Apigee -> SAML-SP: POST /code/validate SAML-SP -> SAML-SP: Validate & provide basic account info to presist in token Note: LoginApp expires the shortlived token at this point. SAML-SP -> Apigee: account info Apigee -> Apigee: create access and refresh_token Apigee -> App: tokens in response end group: Refresh tokens Note: This is an optional flow when an API responds with 401. App -> Apigee: POST /token Note: grant_type=refresh_token and client_id are passed in the request Apigee -> Apigee: Validate refresh_token. Apigee -> Apigee: create new access/refresh token pair Note: the account info is copied from the old token (works BAU in apigee). Apigee -> App: tokens in response end order: App, Apigee, SAML-SP, SAML-Idp, Var Idp