Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 7: Identity Provider Discovery Profile (SAML 2.0)
Solution 7: Identity Provider Discovery Profile (SAML 2.0)
Solution 7 illustrates how SiteMinder Federation Security Services can be employed to solve Use Case 7: Identity Provider Discovery Profile.
In this solution:
- smcompany.com issues assertions for User 1 and has ahealthco.com configured as its Service Provider
- ahealthco.com is the Service Provider for smcompany.com and cacompany.com, and has a SAML 2.0 authentication scheme configured for each of these Identity Providers. This enables single sign-on.
- ahealthcoIPD.com is the Identity Provider Discovery Service for ahealthco.com. The Federation Web Services application, installed with the Web Agent Option Pack, provides the IPD service which can read the common domain cookie that includes all relevant Identity Providers for ahealthco.com.
- cacompany.com is another Identity Provider where users other than User1 can log in.
The following illustration shows the SiteMinder federated network for this solution.
Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the SiteMinder Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.
The sequence of events is as follows:
- User 1 initially authenticates at smcompany.com and then signs on to ahealthco.com without having to reauthenticate.
There is an existing agreement between smcompany.com and ahealthcoIPD.com to use ahealthcoIPD.com as the IPD service. During the initial authentication process, the Identity Provider URL of smcompany.com is written to the common domain cookie at the IPD service.
- User 1, now successfully logged on to ahealthco.com, can look at his health benefits.
- User 1 then comes to a site selection page at ahealthco.com. Because a common domain cookie is set for smcompany.com and ahealthco.com is configured to use the IPD service, ahealthco.com knows that the user previously logged into smcompany.com. Therefore, ahealthco.com can make the appropriate links available to the user so that user can go back to smcompany.com to log in.