Which statement correctly describes the flow of SAML-based single sign-on?

SAML-based single sign-on revolves around the identity provider issuing a security assertion to the service provider after the user has been authenticated. Once the IdP verifies the user, it creates a SAML assertion that proves the user's identity (and can carry attributes), signs it, and sends it to the service provider. The service provider validates that assertion and, if valid, establishes a session for the user so access is granted. This flow is captured by the description of returning a security assertion from the identity provider to the service provider to grant access. Cookie-based SP sessions can occur afterward, but they describe how the SP maintains access, not the core SSO mechanism. Storing passwords in plaintext on the service provider and using SAML to request a password from the user are not part of how SAML SSO works; passwords aren’t shared with the SP, and SAML doesn’t request a password from the user after the initial authentication.