SAML Service Provider Process Flow

The following is an example of the authentication process on the consumer side when a user clicks a link at the SAML service provider (xyz.com) to begin an authentication session with an identity provider (abc.com). PP indicates a Personal Profile Service as defined by the Liberty specification.

Figure 5-12 SAML Consumer Process Flow

  1. The user clicks a link at xyz.com.

    This generates a SAML assertion intended for Identity Server at abc.com, which is the identity provider in an Access Manager configuration. Then, the SAML server sends the browser a redirect containing the artifact. The browser is redirected to the identity provider, which receives the artifact. The URL sent to Identity Server looks similar to the following:

    http://nidp.com/auth/afct?TARGET=http://abc.com/index.html&SAMLArtifact =<<artifact>>
  2. Identity Server at abc.com receives the assertion.

    The assertion is sent to Identity Server packaged in a SOAP envelope. In this example, the assertion contains the attributes lastname=Jones, and phonenumber=555-1212.

  3. Identity Server determines which attributes to use when locating the user.

    Identity Server must determine how to locate a user in the directory. When you created the SAML service provider reference for xyz.com, you specified which Liberty attributes must be used for this purpose. In this case, you specified that PP: sn and PP: ph# must be used.

    1. Identity Server processes the Liberty attribute map (see Mapping LDAP and Liberty Attributes) to the SAML implementation-specific attributes (see Configuring the Attributes Obtained at Authentication).

      Because this SAML implementation must interoperate with other SAML implementations that probably do not use consistent attribute names, you can map the attributes used by each third-party SAML implementation to Liberty attributes on Identity Server.

    2. Identity Server receives implementation-specific SAML attribute names.

      The trusted service provider’s names for the Liberty PP: sn and PP: ph# attributes are returned. Using the attribute map, Identity Server knows that the service provider’s names for these attributes are lastname and phonenumber, respectively.

    3. Identity Server uses the PP service to lookup the values for the user’s PP: sn and PP: ph# attributes.

      Identity Server now recognizes that the values for the user’s PP: sn and PP: ph# attributes are Jones and 555-1212, respectively. The user’s DN is returned to Identity Server, and the user is authenticated.

  4. The user’s DN is returned to Identity Server and the user is authenticated.

  5. The user is redirected to the target resource at xyz.com.