Agent Guides › SAML Affiliate Agent Guide › SAML Affiliate Agent Overview › Introducing the SAML Affiliate Agent › Communication Across the Federated Network › Scenario 1: User Visits Producer First

Scenario 1: User Visits Producer First

When the user visits the producer before going to the consumer, the producer and consumer communicate as follows:

The communication flow is as follows:

1. The user authenticates at the producer site, and the Web Agent sets a cookie (session, identity or both) in the user’s browser.
2. The user selects a protected resource at the consumer through a link at the producer.

   The SAML Affiliate Agent does not recognize the user because this is the user’s first visit to the consumer site.

3. The SAML Affiliate Agent adds the SSLInterceptorURL and the target URL to the redirect URL, then redirects the request to the producer (specifically, to the PortalQueryURL) to retrieve user information.

   At the producer, the assertion generator creates a SAML assertion from response data sent by the Policy Server. The assertion is stored in a persistent session store. The assertion generator also creates a SAML artifact to identify the assertion, which is appended to the redirect URL sent to the consumer.

4. The user is redirected back to the consumer, to the SSLInterceptorURL, with the artifact and the target URL.
5. The Affiliate Server uses the artifact to request the assertion.
6. The producer returns the assertion to the consumer.

   The SAML Affiliate Agent validates the assertion, produces a local session cookie, and sets headers based on information from the assertion.

7. Finally, the user is directed to the originally requested target URL.

If the user returns to the consumer site for a second time, the SAML Affiliate Agent refers to the information in the local cookies. These cookies are transient; the information is only valid for the duration of the user’s browser session or for the period specified by the configured timeout value.