B.7 SAML Service Provider Process Flow

The following illustration provides an example of the authentication process on the consumer side, when a user clicks a link at the SAML service provider (xyz.com) in order to begin an authentication session with an identity provider (such as abc.com). PP indicates a Personal Profile Service as defined by the Liberty specification.

Figure B-2 SAML Consumer Process Flow

  1. The user clicks a link at xyz.com.

    This generates a SAML assertion intended for the Identity Server at abc.com, which is the identity provider in an Access Manager configuration. After the SAML server generates the artifact, it sends the browser a redirect containing the artifact. The browser is redirected to the identity provider, which receives the artifact. The URL sent to the Identity Server looks something like: http://nidp.com/auth/afct?TARGET=http://abc.com/index.html&SAMLArtifact =<<artifact>>

  2. The Identity Server at abc.com receives the assertion.

    The assertion is sent to the Identity Server packaged in a SOAP envelope. In this example, the assertion contains the attributes lastname=Jones, and phonenumber=555-1212.

  3. The Identity Server determines which attributes to use when locating the user.

    The Identity Server must determine how to locate the user in the directory. When you created the SAML service provider reference for xyz.com, you specified which Liberty attributes should be used for this purpose. In this case, the you specified that PP:sn and PP:ph# should be used.

    1. The Identity Server processes the Liberty attribute map (see Section 12.9, Mapping LDAP and Liberty Attributes) to the SAML implementation-specific attributes (see Section 9.8, Selecting Attributes for a Trusted Provider).

      Because this SAML implementation must interoperate with other SAML implementations that probably do not use consistent attribute names, you can map the attributes used by each third-party SAML implementation to Liberty attributes on the Identity Server.

    2. The Identity Server receives implementation-specific SAML attribute names.

      The trusted service provider’s names for the Liberty PP:sn and PP:ph# attributes are returned. Using the attribute map, the Identity Server knows that the service provider’s names for these attributes are lastname and phonenumber, respectively.

    3. The Identity Server uses the PP service to lookup the values for the user’s PP:sn and PP:ph# attributes.

      The Identity Server now recognizes that the values for the user’s PP:sn and PP:ph# attributes are Jones and 555-1212, respectively. The user’s DN is returned to the Identity Server, and the user is authenticated.

  4. The user’s DN is returned to the Identity Server, and the user is authenticated.

  5. The user is redirected to the target resource at xyz.com.