...
The SAML flow is show in the diagram below
...
The user via the UserAgent (e.g Browser) tries to access the SP
The SP checks the current authentication session of the user and:
If the user still has a valid session provides the user access to the service
If the user does not have a valid session, it will generate a AuthNRequest and redirects the user to the IDP’s SingleSignOnService url
The IDP checks the AuthNRequest and if valid ask the UserAgent to provide authentication details
The UserAgent provided the authentication details to the IDP.
The IDP checks the user credentials and if valid generates a SAMLResponse containing a SAML Assertion about the user attributes.
The IDP send the SAMLResponse (through the UserAgent) to the AssertionConsumerService url of the SP.
The SP validates the SAML Response and assertions and if valid provides the user access to the service
...