Federation Manager Guide › Federation Partnerships › Application Integration › Dynamic Provisioning of a User Identity at the Relying Party › Remote Provisioning

Remote Provisioning

Remote provisioning employs a third-party provisioning application to create a new user account and then pass the necessary information back to Federation Manager. Federation Manager uses the data to create a user credential.

The following figure shows how a remote provisioning setup can be configured.

The high-level provisioning process is as follows:

1. Federation Manager at the relying party receives a request for a resource along with an assertion; however, the user cannot be found in the user directory.
2. With provisioning enabled, Federation Manager processes an active response containing assertion data and generates a cookie (legacy or open format) with the assertion data. Additionally, a cookie that keeps state is generated to indicate a provisioning request is in place.
3. Federation Manager redirects the browser with cookies or headers to a provisioning application.
4. The provisioning application typically prompts the user to log in. After logging in, the application reads the Federation Manager cookie or the headers and uses the assertion data and the login credentials to establish a user account.
5. The user is sent back to Federation Manager and a cookie that maintains state information about provisioning is examined to verify that the user has been provisioned. A credential is created and passed to the authentication scheme.
6. Federation Manager attempts user disambiguation a second time. Assuming provisioning is successful, the user is authenticated and cookies or headers are sent to the target application.

   The data delivery method to the target application is defined by the redirect mode you select for the target application.

7. The user is redirected to the target resource.