Configuration Guides › Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 1: Single Sign-on based on Account Linking › Solution 1 Using SAML 2.0 Artifact Authentication

Solution 1 Using SAML 2.0 Artifact Authentication

In this example, smcompany.com is acting as the Identity Provider. When an employee of smcompany.com accesses an employee portal at www.smcompany.com, the sequence of events is as follows:

1. The Web Agent provides the initial authentication. When the user clicks a link at the Identity Provider, this action is referred to as an unsolicited response at the Identity Provider.
2. When the employee clicks a link at www.smcompany.com to view the health benefits at ahealthco.com, the link makes a request to the Single Sign-on Service at www.smcompany.com.
3. The single sign-on service calls the assertion generator, which creates a SAML assertion, inserts the assertion into the SiteMinder session server, and returns a SAML artifact.
4. The Web Agent redirects the user to ahealthco.com with the SAML artifact, in accordance with the SAML browser artifact protocol.

Ahealthco.com is acting as the Service Provider. One of the components of the Service provider is the Assertion Consumer Service. The Assertion Consumer Service handles the redirect request containing the SAML artifact.

The sequence of events is as follows:

1. The Assertion Consumer Service calls the SAML 2.0 authentication scheme with HTTP-artifact binding to obtain the location of the artifact resolution service at smcompany.com.
2. The Assertion Consumer Service calls the artifact resolution service at www.smcompany.com.
3. The artifact resolution service at www.smcompany.com retrieves the assertion from the SiteMinder session server at smcompany.com and returns it to the artifact resolution service at ahealthco.com.
4. The Assertion Consumer Service then passes the assertion to the SAML 2.0 authentication scheme for validation and session creation and proceeds to issue a SiteMinder session cookie to the browser of the user.
5. The user is allowed access to resources at ahealthco.com based on policies defined at the Policy Server at ahealthco.com and enforced by the Web Agent at ahealthco.com.

In this example, the administrator at smcompany.com uses the Policy Server User Interface to configure a Service Provider object for ahealthco.com. The Service Provider is configured with an attribute that is a unique ID for the user. This action causes the assertion generator to include that attribute as part of the user profile in a SAML assertion created for ahealthco.com.

The administrator at ahealthco.com uses the FSS Administrative UI to configure a SAML 2.0 authentication scheme that uses the artifact binding for smcompany.com. The authentication scheme specifies the location of the artifact resolution service at smcompany.com, how to extract the unique user ID from the SAML assertion, and how to search the user directory at ahealthco.com for the user record that matches the value extracted from the assertion.