Step
1: Accessing the Inter-Site Transfer Service
In step 1, the user's browser accesses the inter-site transfer service,
with information about the desired target at the destination site attached
to the URL.
http://<inter-site transfer host name and path>?TARGET=<Target>
Where:
<inter-site transfer host name and path>
This provides the host name, port number, and path components of an
inter-site transfer URL at the source site. This is
<protocol>:<servername>:<port>/amserver/SAMLAwareServlet
in IS Server.
Target=<Target>
This name-value pair occurs in the <searchpart> and is
used to convey information about the desired target resource at the destination
site.
Step 2: Redirecting to the Destination Site
In step 2, the source site's inter-site transfer service responds and
redirects the user's browser to the assertion consumer service at the destination
site.
http://<artifact receiver host name and path>?<SAML searchpart>
Where:
< artifact receiver host name and path>
This provides the host name, port number, and path components of an
artifact receiver URL associated with the assertion consumer
service at the destination site. In IS Server terms we call it the Partner
URL i.e. the URL of the partner which receives the Artifact in the query
string, with who we are trying to achieve the SSO.
<SAML searchpart>= ?TARGET=<Target>?SAMLart=<SAML artifact> ?
A single target description MUST be included in the <SAML searchpart>
component.
Step 3: Accessing the Artifact Receiver URL
In step 3, the user's browser accesses the artifact receiver URL, with
a SAML artifact representing the user's authentication information attached
to the URL. This is actually a redirection which happens internally between
inter site service and the artifact receiver of the partner.
Internally a HTTP Get is made to
http://< artifact receiver host name and path>?<SAML searchpart>
Where:
< artifact receiver host name and path>
This provides the host name, port number, and path components of an
artifact receiver URL associated with the assertion consumer service
at the destination site.
<SAML searchpart>= ?TARGET=<Target>?SAMLart=<SAML artifact> ?
Steps 4 and 5: Acquiring the Corresponding Assertions
In steps 4 and 5, the destination site, in effect, dereferences the
one or more SAML artifacts in its possession in order to acquire the SAML
authentication assertion that corresponds to each artifact.
These steps MUST utilize a SAML protocol binding for a SAML request-response
message exchange between the destination and source sites. The destination
site functions as a SAML requester and the source site functions as a SAML
responder.
The destination site MUST send a <samlp:Request> message
to the source site, requesting assertions by supplying assertion artifacts
in the <samlp:AssertionArtifact> element. The request is sent
using
SOAP over HTTP(s) to the SOAP responder
of the source site. In IS this is the
<protocol>:<servername>:<port>/amserver/SAMLSOAPReceiver
Step 6: Responding to the User's Request for a Resource
In step 6, the user's browser is sent an HTTP response that either allows
or denies access to the desired resource.
(II) SSO using SAML Web Browser/POST profile
The web browser/POST profile of SAML allows authentication information
to be supplied to a destination site without the use of an artifact.
There are three parties involved in the browser/POST profile. They are:
Browser, Source Site, and Destination Site. The browser/POST profile consists
of a series of two interactions, the first between a user equipped with
a browser and a source site, and the second directly between the user and
the destination site. The following section elucidates the four steps involved
in browser/POST profile.
Step 1: Accessing the Inter-Site Transfer Service
The user's browser accesses the inter-site transfer service, with information
about the desired target at the destination site attached to the URL.
Step 2: Generating and Supplying the Response
The source site generates HTML form data containing a SAML Response
which contains an SSO assertion.
Step 3: Posting the Form Containing the Response
The browser submits the form containing the SAML response to the destination
site.
Step 4: Responding to the User's Request for a Resource
The user's browser is sent an HTTP response that either allows or denies
access to the desired resource.