Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 1: Single Sign-on based on Account Linking › Solution 1 Using SAML 2.0 POST Binding

Solution 1 Using SAML 2.0 POST Binding

In this example, smcompany.com is acting as the Identity Provider. When an employee of smcompany.com accesses an employee portal at www.smcompany.com, the sequence of events is as follows:

1. The Web Agent provides the initial authentication. When the user clicks a link at the Identity Provider, this is referred to as an unsolicited response at the Identity Provider.
2. When the employee clicks a link at www.smcompany.com to view her health benefits at ahealthco.com, the link makes a request to the Single Sign-on Service at www.smcompany.com.
3. The Single Sign-on Service passes calls the assertion generator, which creates a SAML assertion and signs the SAML response.
4. The signed response is then placed in an auto-POST HTML form and sent to the user's browser.
5. The browser automatically POSTs a form to the Assertion Consumer URL at ahealthco.com. The form contains a SAML response as a form variable.

Ahealthco.com is acting as the Service Provider. The redirect request with the SAML response is handled by the Assertion Consumer Service, which is part of the Federation Web Services at ahealthco.com.

The sequence of events is as follows:

1. The Assertion Consumer Service calls for the requested target resource at ahealthco.com. This resource is protected by the SAML 2.0 authentication scheme using the HTTP-POST binding.
2. Because the SAML 2.0 authentication scheme is protecting the resource, the Assertion Consumer Service passes the digitally signed SAML response message as credentials, to the Policy Server at ahealthco.com.
3. The Policy Server verifies the signature and then authenticates the user using the SAML assertion embedded in the decoded SAML response message. Based on the assertion, the Policy Server lets the user log in.
4. After logging in, the Assertion Consumer Service creates an SMSESSION cookie, places it in the user's browser, and redirects the user to the target resource at ahealthco.com.
5. At this point the user is allowed access to resources at ahealthco.com based on policies defined at the Policy Server and enforced by the Web Agent at ahealthco.com.

In this example, the administrator at smcompany.com uses the Policy Server User Interface to configure a Service Provider object for ahealthco.com. The Service Provider is configured with an attribute that is a unique ID for the user. This causes the assertion generator to include that attribute as part of the user profile in a SAML assertion created for ahealthco.com.

The administrator at ahealthco.com uses the FSS Administrative UI to configure a SAML 2.0 authentication scheme with the HTTP-POST binding for smcompany.com. The authentication scheme specifies how to extract the unique user ID from the SAML assertion, and how to search the user directory at ahealthco.com for the user record that matches the value extracted from the assertion.