Programming Guides › Programming Guide for C › Policy Management API › Federation Security Services › SAML 2.0 › SAML 2.0 Affiliations

SAML 2.0 Affiliations

A SAML 2.0 affiliation consists of Service Providers and Identity Providers that have a shared Name ID namespace. Identity Providers also share the user disambiguation properties across the affiliation.

A SAML 2.0 affiliation can have multiple Service Providers and Identity Providers. However, a Service Provider or Identity Provider can belong to no more than one SAML 2.0 affiliation.

Example:

By sharing security assertions, a principal can log in at one site (the site acting as the Identity Provider), and then access resources at another site (the Service Provider) without explicitly supplying credentials at the second site:

1. The user is a home buyer who authenticates at a realtor's web site.

   Any authentication scheme can be used to authenticate the user.

2. While viewing real estate listings, the user notices a link to a bank with an attractive mortgage rate.
3. The user clicks the link.
4. At the realtor's site, an entity acting as the Identity Provider packages the user's information in a SAML assertion, then transports the assertion to the bank's site using the SAML 2.0 POST binding.
5. At the bank's site, an entity acting as the Service Provider uses the SAML 2.0 Authentication scheme associated with the Identity Provider to validate the user for the resources on the bank's site.

   This validation occurs transparently to the user.

6. If the user is successfully validated, the user is allowed on the bank's site to view the rate information.