The SSO service can serve as the IdP in an SSO transaction. The service can respond to attribute queries from an SP. The SP evaluates the additional attributes before granting access to the resource.
The attribute query feature works in two modes:
Metadata lists all attributes for which a query response can be generated. Responding to specific attribute queries avoids sending infrequently used attributes.
The SSO service accepts queries for attributes not listed in the metadata. The service checks the user directories first and then checks the session store for attributes. The session store contains dynamic attributes from the advanced authentication methods. The session store also contains dynamic proxied attributes from external IdPs.
|
Copyright © 2014 CA.
All rights reserved.
|
|