Hiya,
Yes, you complete a login after the user has logged in at the SAML provider. That's implied, but maybe we should make it a bit clearer.
From https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login
This API allows you to complete a SAML v2 login after the user has authenticated with a SAML v2 identity provider. If you are using the FusionAuth login UI with the SAML v2 button you will not utilize this API directly.
The idea is:
you call start SAML login (the FusionAuth API) you direct the user to the IDP you get the SAML response you pass the SAML response to the complete API call (again, FusionAuth API)Why not just integrate SAML directly into your application? It's an instance of the identity broker pattern, and having FusionAuth in the middle can allow for a standard interface across SAML and other remote IdP providers.
How you handle steps 2 and 3 is not documented for two reasons.
It might vary widely, depending on the SAML IdP and your configuration. It is expected that as someone who is using the start/complete API and not the FusionAuth hosted login pages, you are familiar enough with SAML to take care of them.Hope this helps!