Configuration GuidesFederation Security Services GuideConfigure SOA Security Manager as a SAML 2.0 Service ProviderSAML 2.0 Authentication Scheme Overview › SAML Authentication Request Process

Previous Topic: SAML 2.0 Authentication Scheme Overview

Next Topic: Configuration Tasks for SAML 2.0 Authentication
SAML Authentication Request Process

The following illustration shows how the SAML 2.0 authentication scheme processes requests.

SAML 2.0 Authentication Request Process Flow

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the SiteMinder Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

The functional flow for authentication is as follows:

  1. A user makes a request for a Service Provider resource. This request goes to the AuthnRequest service at the Service Provider. The request is then redirected to the Identity Provider to obtain a SAML assertion.
  2. The Identity Provider returns a response to the Service Provider.

    For HTTP-POST binding, the response contains the assertion. For the HTTP-Artifact binding, the response contains a SAML artifact.

  3. The Assertion Consumer Service at the Service Provider receives the response message and determines whether the POST or Artifact binding is being used.

    If the artifact binding is used, the Assertion Consumer Service sends the artifact to the Identity Provider to obtain a response that contains the assertion. The Assertion Consumer Service sends the response with the assertion as credentials to the Policy Server.

  4. The Policy Server invokes the SAML 2.0 authentication scheme by passing the response message with the user credentials to the scheme to be authenticated.
  5. The user disambiguation process begins.
  6. After the disambiguation phase is complete, the SAML 2.0 authentication scheme validates the credentials in the assertion. The scheme also validates the assertion for time validity, and, if applicable, verifies that a trusted Identity Provider signed the assertion.

    Note: For the POST binding, a signature is required. If a signature is not present, authentication fails. For the Artifact binding, a signed assertion is optional because the assertion is obtained over a secure channel between the Service Provider and Identity Provider.

    If single logout is enabled, the SLO servlet redirects the user to a No Access URL.

More Information:

Configure User Disambiguation for User Look Ups