|
|
|
At the consumer site, certain resources are designated as affiliate resources. A user can access an affiliate resource by selecting links at the producer or consumer site. When a user tries to access a protected affiliate resource, the SAML Affiliate Agent redirects the user’s browser back to the producer site. The producer authenticates the user and collects the user profile information.
When the producer-side Web Agent receives a request from the SAML Affiliate Agent, it first verifies to see if a session cookie for the user exists. This cookie is present if the user has an active SiteMinder session. If there is no session cookie, the Web Agent checks for an identity cookie. The identity cookie, a persistent cookie that stores the user’s identity, is present only if user tracking is enabled at the Policy Server.
If the user is authenticated at the producer before visiting the consumer, the Web Agent can create the session or identity cookie. If either cookie exists, the Web Agent sends the identity information to the Policy Server so it can gather specific user information, which is placed in an assertion and retrieved by the SAML Affiliate Agent at the consumer site.
Using information in the SAML assertion, the SAML Affiliate Agent creates local cookies in the browser and uses these cookies to maintain user and session information for its applications.
If neither the session or identity cookie exists at the producer, the producer-side Web Agent challenges the user for credentials so that at least one of the cookies can be issued. If the user presents invalid credentials, the producer denies the user access.
If the user authenticates at the producer, but the producer redirects the user back to the consumer without a SAML artifact, the SAML Affiliate Agent denies the user access to the resource because the user is unknown. How the SAML Affiliate Agent handles unidentified users depends on how you configure the Agent.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |