Federation Security Services Guide › Federation Security Services Overview › Federation Security Services Process Flow › Flow Diagram for SSO Using SAML 1.x Artifact Authentication

Flow Diagram for SSO Using SAML 1.x Artifact Authentication

The illustration that follows shows the detailed flow between a user's browser and the Federation Security Service components deployed at the producer and consumer sites. This set-up enables single sign-on between the sites. SAML artifact profile is the authentication method and the flow diagram assumes successful authentication and authorization at the producer and consumer sites.

Note: This flow applies to examples that do not use the SAML Affiliate Agent.

The process flow diagram for SAML 1.x Artifact Authentication follows.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the SiteMinder Federation Web Services application functions. In the flow diagram, the Web Agent block would be the embedded Web Agent in the SPS federation gateway. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

The sequence of actions is as follows:

1. The user makes an initial request to a protected page at the producer site.
2. The Web Agent at the producer site responds with a 401 challenge to the user.
3. The user submits credentials, such as user name and password to the Web Agent.
4. The Web Agent issues a SiteMinder SMSESSION cookie to the user's browser for the producer site domain.
5. The user clicks a link to visit the consumer site. This link is referred to as the intersite transfer URL because it results in transferring the user to another site. The intersite transfer URL makes a request to the Web Agent at the producer site first. This URL contains the location of the SAML credential collector and the target URL to access at the consumer site.
6. The Web Agent at the producer site handles the intersite transfer URL request by calling the assertion generator.
7. The assertion generator generates a SAML assertion, places it in the SiteMinder session server and returns the SAML artifact for the assertion.
8. The Web Agent responds with a 302 redirect to the SAML credential collector at the consumer with the SAML artifact and the target URL as query parameters.
9. The user's browser makes a request to the SAML credential collector at the consumer site. This is known as the assertion consumer URL.
10. The SAML credential collector handles the assertion consumer URL request by making an isProtected call to the SAML artifact authentication scheme.
11. The SAML artifact authentication scheme returns the producer configuration information.
12. The SAML credential collector uses the producer configuration information to make a SAML request to the assertion retrieval service at the producer. In this step, the SAML credential collector is acting as an HTTP client.
13. The assertion retrieval service at the producer retrieves the SAML assertion from the session server and responds with a SAML response that contains the SAML assertion.
14. The SAML credential collector makes a login call to the SAML artifact authentication scheme, passing the SAML assertion as credentials.
15. The SAML artifact authentication scheme validates the SAML assertion. It looks up the user record for the user based on the user mapping information configured for the SAML authentication scheme, and returns a success reply. If the SAML assertion is not valid or a user record can not be located, a failure is returned.
16. If a success reply is returned, the SAML credential collector issues a SiteMinder SMSESSION cookie to the user's browser for the consumer site domain. It also issues a 302 redirect to the target URL. If failure is returned from the SAML artifact authentication scheme, the SAML credential collector issue a 302 redirect to a no access URL.
17. The user's browser makes a request to the target URL, which is protected by the Web Agent at the consumer.