The site doesn't send anything at all to the identity provider. Your browser sends an authentication requests to the identity provider and relay it the site it wants to log into.
The site then checks the request is really signed by the identity provider and lets the user in.
The identity provider knows two things:
- You asked to log in somewhere
- At least one person logged to site X because site X asked for its public key
The site then checks the request is really signed by the identity provider and lets the user in.
The identity provider knows two things:
- You asked to log in somewhere - At least one person logged to site X because site X asked for its public key