Figure 12–3 provides a high-level view of the process between the various components in the Web Services Stack. In this example:
The web browser represents a user.
The service provider also acts as a WSC, invoking a web service on behalf of the user. The service provider relies on the identity provider for authentication.
The identity provider acts as an authentication provider by authenticating the user. It also acts as a trusted authority, issuing security tokens through the Discovery Service.
The WSP serves requests from web services clients such as the Liberty Personal Profile Service.
The process assumes that the user, the identity provider, and the service provider have already been federated.
The user attempts to access a resource hosted on the service provider server.
The service provider redirects the user to the identity provider for authentication.
The identity provider authenticates the user successfully and sends the single sign-on assertion to the requesting service provider.
The service provider verifies the assertion and the user is issued a session token.
The service provider redirects the user to the requested resource.
The user requests access to another service hosted on the WSC server.
For example, it might need that value of an attribute from the user’s Liberty Personal Profile Service.
The WSC sends a query to the Discovery Service to determine where the user’s Liberty Personal Profile Service instance is hosted.
The WSC bootstraps the Discovery Service with the resource offering from the assertion obtained earlier.
The Discovery Service returns a response to the WSC containing the endpoint for the user’s Liberty Personal Profile Service instance and a security token that the WSC can use to access it.
The WSC sends a query to the Liberty Personal Profile Service instance.
The query asks for the user’s personal profile attributes, such as home phone number. The required authentication mechanism specified in the Liberty Personal Profile Service resource offering must be followed.
The Liberty Personal Profile Service instance authenticates and validates authorization for the requested user or the WSC, or both.
If user interaction is required for some attributes, the Interaction Service will be invoked to query the user for consents or for attribute values. The Liberty Personal Profile Service instance returns a response to the WSC after collecting all required data.
The WSC processes the Liberty Personal Profile Service response, and renders the service pages containing the information.
For detailed information about all these components, see the Sun OpenSSO Enterprise 8.0 Administration Guide.