By default accessing a Flow requires authentication. Any authentication is expected to be handled by a trusted SAML IDP. Once authenticated, authorisation is based on the incoming SAML assertion.
In order for authentication to work, a SAML SP authenticator needs to be configured. Also, SAML SP need to share first part of URI in with Forms module.
Forms module has "http_context" configured to "/forms". The SAML must have it's "http_context" set to "/forms/xxx" ("/forms/auth" is a good pattern).
Typically the properties regarding authentication in Forms module will look something like this:
On the SAML SP side configuration will look like this:
Once the user is authenticated data from incoming assertion vill be transfered to the session.
NameID vill be the users login identifier. Other attributes will be put in the session where multivalued attributes is merged into a comma separated list.
Once authenticated all users by default can access a Flow. Restricting is based on roles attribute in the incoming assertion. By using the "requires_role" configuration parameter on the Flow restriction control is performed comparing the incoming "roles" in the assertion and data in "requires_role" for the Flow.
One value of "role" must match "requires_role" in order for user getting access.