Federation Security Services GuideFederation Security Services OverviewFederation Security Services Process Flow › Flow Diagram for SSO Using SAML 1.x POST Profile Authentication

Previous Topic: Flow Diagram for SSO Using SAML 1.x Artifact Authentication

Next Topic: Flow Diagram for SSO Using SAML 2.0 Authentication with Artifact Binding

Flow Diagram for SSO Using SAML 1.x POST Profile Authentication

The illustration that follows shows the detailed flow between a user's browser and the Federation Security Service components deployed at producer and consumer sites. This set-up enables single sign-on between the sites. SAML POST profile is the authentication method and the diagram assumes successful authentication and authorization at the producer and consumer sites.

Note: This flow applies to examples that do not use the SAML Affiliate Agent.

The process flow diagram for SAML 1.x POST Profile follows.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the SiteMinder Federation Web Services application functions. In the flow diagram, the Web Agent block would be the embedded Web Agent in the SPS federation gateway. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

The sequence of events is as follows:

  1. User requests a local page at the producer, which is protected by the Web Agent.
  2. The Web Agent at the producer asks for user credentials.

    This flow diagram assumes that the resource is protected with basic authentication and that username and password are the required credentials.

  3. The user submits credentials.
  4. The Agent at the producer issues an SMSESSION cookie for the producer site domain and allows access to the local page.
  5. The user clicks a link at the producer's local page to visit the consumer. The link looks like it goes to the consumer site but it actually goes to the intersite transfer URL, which contains the affiliate name, the assertion consumer URL, and the target resource as query parameters.
  6. The Intersite Transfer Service makes an IsProtected call to the Policy Server for the resource. The URL contains the name query parameter that uniquely identifies the consumer.
  7. The Policy Server recognizes the request as a request for a SAML assertion, generates the assertion and returns it in a digitally signed SAML response message. The Policy Server then returns the response to the intersite transfer URL.
  8. The intersite transfer URL service generates an auto-POST form containing the encoded SAML response and the target URL as form variables and sends the form to the user's browser.
  9. The user's browser automatically posts the HTML form to the Assertion Consumer URL at the consumer site. This URL was read from the SAML response message sent by the intersite transfer URL service.
  10. The assertion consumer URL makes an isProtected call to the SAML POST profile authentication scheme. The authentication scheme informs the assertion consumer what type of credentials are required.
  11. The assertion consumer URL makes a login call for the requested target resource to the SAML POST profile authentication scheme, passing the assertion as credentials.
  12. If login succeeds, the assertion consumer URL generates an SMSESSION cookie for the consumer site domain.
  13. The SMSESSION cookie is placed in the user's browser, and the assertion consumer URL redirects the user to the target resource.
  14. The browser requests the target resource, which is protected by the consumer site Web Agent. Because the browser has an SMSESSION cookie for the consumer domain, the Web Agent does not challenge the user.

Copyright © 2010 CA. All rights reserved. Email CA about this topic