Federation Security Services GuideFederation Security Services OverviewSolutions for Federation Use CasesSolution 1: Single Sign-on based on Account Linking › Solution 1 Using SAML 2.0 Artifact Authentication

Previous Topic: Solution 1 Using SAML 1.x POST Profile

Next Topic: Solution 1 Using SAML 2.0 POST Binding
Solution 1 Using SAML 2.0 Artifact Authentication

In this example, smcompany.com is acting as the Identity Provider. When an employee of smcompany.com accesses an employee portal at www.smcompany.com, the sequence of events is as follows:

  1. The Web Agent provides the initial authentication. When the user clicks a link at the Identity Provider, this is referred to as an unsolicited response at the Identity Provider.
  2. When the employee clicks a link at www.smcompany.com to view her health benefits at ahealthco.com, the link makes a request to the Single Sign-on Service at www.smcompany.com.
  3. The single sign-on service calls the assertion generator, which creates a SAML assertion, inserts the assertion into the SiteMinder session server, and returns a SAML artifact.
  4. The Web Agent redirects the user to ahealthco.com with the SAML artifact, in accordance with the SAML browser artifact protocol.

Ahealthco.com is acting as the Service Provider. The redirect request with the SAML artifact is handled by the Assertion Consumer Service that is part of the Federation Web Services at ahealthco.com.

The sequence of events is as follows:

  1. The Assertion Consumer Service calls the SAML 2.0 authentication scheme with HTTP-artifact binding to obtain the location of the artifact resolution service at smcompany.com.
  2. The Assertion Consumer Service calls the artifact resolution service at www.smcompany.com.
  3. The artifact resolution service at www.smcompany.com retrieves the assertion from the SiteMinder session server at smcompany.com and returns it to the artifact resolution service at ahealthco.com.
  4. The Assertion Consumer Service then passes the assertion to the SAML 2.0 authentication scheme for validation and session creation and proceeds to issue a SiteMinder session cookie to the user's browser.
  5. At this point, the user is allowed access to resources at ahealthco.com based on policies defined at the Policy Server at ahealthco.com and enforced by the Web Agent at ahealthco.com.

In this example, the administrator at smcompany.com uses the Policy Server User Interface to configure a Service Provider object for ahealthco.com. The Service Provider is configured with an attribute that is a unique ID for the user. This causes the assertion generator to include that attribute as part of the user profile in a SAML assertion created for ahealthco.com.

The administrator at ahealthco.com uses the FSS Administrative UI to configure a SAML 2.0 authentication scheme that uses the artifact binding for smcompany.com. The authentication scheme specifies the location of the artifact resolution service at smcompany.com, how to extract the unique user ID from the SAML assertion, and how to search the user directory at ahealthco.com for the user record that matches the value extracted from the assertion.

Copyright © 2010 CA. All rights reserved. Email CA about this topic