|
|
|
Programmerless federation is an HTTP-based approach for allowing the secure authentication, user disambiguation, inspection, and modification of SAML assertions. The advantage of programmerless federation is that applications can accomplish these tasks without having to use a language-specific SDK or other bindings.
Programmerless federation relies on HTTP/HTTPS requests and responses. These requests and responses are accessible through URLs and HTML-based protocols using web services that are an implementation of Representational State Transfer (REST) system architecture.
Any application that can issue HTTP requests, read HTTP responses, and parse XML to take advantage of the Federation Manager programmerless functionality.
An essential part of programmerless federation is its ability to secure the exchange of data. To secure data, Federation Manager uses an open format cookie. The open format cookie is a well-defined cookie format that supports strong encryption algorithms. The encrypted cookie secures the response to a request between Federation Manager and the local or remote applications, which can be written in any programming language that supports the same encryption and decryption algorithms that the open format cookie uses, such as Perl or Ruby.
Federation Manager SDKs also support the open format cookie, allowing a mix of applications.
The following Federation Manager features implement the programmerless federation model:
Delegated authentication lets Federation Manager use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM performs the authentication and then sends the federated user identity to Federation Manager.
Communication for delegated authentication is handled by HTTP/HTTPS requests and responses.
Provisioning is the process of creating client accounts with the necessary account rights and access privileges for accessing data and applications. Federation Manager provisioning can establish a new account for a user, or populate an existing user account with information sent in a SAML assertion.
Remote provisioning is one of the Federation Manager provisioning methods. Remote provisioning uses an independent provisioning application to establish a user record. To pass assertion data, Federation Manager creates an encrypted cookie containing the data. This cookie is sent to the remote provisioning application, which is responsible for creating the user account.
Communication for provisioning is handled by HTTP/HTTPS requests and responses.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |