Federation Manager Agent for Windows Authentication Guide › Introduction to the CA Federation Manager Agent for Windows Authentication › Federation Manager Windows Agent Use Case

Federation Manager Windows Agent Use Case

A delegated authentication use case shows how the Federation Manager Windows Agent works. For this use case, Wilson Brothers department store wants to grant single sign-on access to employees of their supplier, Acme Sporting Goods, to provide them with special discounts. Wilson Brothers and Acme Sporting Goods have an established federated partnership. Employees of Acme Sporting Goods typically log in to their account at work with their domain user name and password. When an employee visits the Wilson Brothers Web site, the employee is granted access through one of the IWA protocols without being challenged.

The following illustration shows the role of the Federation Manager Windows Agent in a federated partnership:

The following process references the annotations in the preceding diagram:

1. The user logs in to the web access management (WAM) system at Acme Sporting Goods.
2. The user opens a browser and navigates to the URL for Wilson Brothers department store, the relying party.

   Note: The browser cannot be on the same system where Federation Manager and the Federation Manager Windows Agent are installed.

3. The relying party sends an authentication request to Federation Manager at the asserting party. Federation Manager determines that delegated authentication is specified for this partnership.
4. Federation Manager sends a request to the Agent to validate the security context for this user.
5. The Agent extracts the validated information.
6. The Agent sets the user information into an open format cookie.
7. The Agent sends the cookie to Federation Manager.
8. Federation Manager extracts the user information and sends a SAML assertion to the relying party.

The user is granted single sign-on access to the Wilson Brothers site.