Previous Topic: Solution 1 Using SAML 2.0 POST Binding

Next Topic: Solution 2: Single Sign-on based on User Attribute Profiles

Solution 1 Using WS-Federation Passive Requestor Profile

In this example, smcompany.com is acting as the Account Partner. When an employee of smcompany.com accesses an employee portal at www.smcompany.com, the sequence of events is as follows:

  1. The user visits an unprotected site selection page at ahealthco.com.
  2. This link points to the Single Sign-on Service at the Account Partner, www.smcompany.com. The Web Agent provides the initial authentication.
  3. The Single Sign-on Service calls the WS-Federation Assertion Generator, which creates a SAML 1.1 assertion. It signs the assertion and wraps the assertion in a security token response message.
  4. The response is then placed in an auto-POST HTML form as a form variable and sent to the user's browser.
  5. The browser automatically POSTs a form to the Security Token Consumer Service URL at ahealthco.com.

Ahealthco.com is acting as the Resource Partner. The redirect request with the SAML response is handled by the Security Token Consumer Service, which is part of the Federation Web Services application.

The sequence of events is as follows:

  1. The Security Token Consumer Service calls for the requested target resource at ahealthco.com. This resource is protected by the WS-Federation authentication scheme.
  2. Because the WS-Federation authentication scheme is protecting the resource, the Security Token Consumer Service passes the signed assertion in the SAML response message as credentials to the Policy Server at ahealthco.com.
  3. The Policy Server verifies the signature and then authenticates the user using the SAML assertion embedded in the decoded SAML response message. Based on the assertion, the Policy Server lets the user log in.
  4. After logging in, the Security Token Consumer Service creates an SMSESSION cookie, places it in the user's browser, and redirects the user to the target resource at ahealthco.com.
  5. At this point the user is allowed access to resources at ahealthco.com based on policies defined at the Policy Server and enforced by the Web Agent at ahealthco.com.

In this example, the administrator at smcompany.com uses the Policy Server User Interface to configure a Resource Partner object for ahealthco.com. The Resource Partner is configured with an attribute that is a unique ID for the user. This causes the assertion generator to include that attribute as part of the user profile in a SAML assertion created for ahealthco.com.

The administrator at ahealthco.com uses the FSS Administrative UI to configure a WS-Federation authentication scheme for smcompany.com. The authentication scheme specifies how to extract the unique user ID from the SAML assertion, and how to search the user directory at ahealthco.com for the user record that matches the value extracted from the assertion.


Copyright © 2010 CA. All rights reserved. Email CA about this topic