test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

Discovery Service Process

The following figure provides a high-level overview of the interaction between parties in a web services environment using the Discovery Service. In this scenario, the identity provider hosts the Discovery Service. The process is defined in more detail after the figure.

Figure 7–2 Participants and Process of the Discovery Service

Process chart of the Discovery Service

  1. The user logs in to a Liberty-enabled identity provider, is authenticated, and completes the introduction process, enabling single sign-on with other members of the authentication domain. More specifically, this is the process:

    1. Within a browser, the user types the URL for a Liberty-enabled service provider.

    2. The service provider collects the user’s credentials and redirects the information to the identity provider for authentication.

    3. If the credentials are verified, the user is authenticated.

    4. Assuming the identity provider is the center of an authentication domain, that provider will notify the authenticated user of the option to federate any local identities created with member organizations. The user would then accept or decline this invitation to federate. By accepting the invitation, the user will be given the option of federation to a member organization’s web site at each login. If the user accepts this option to federate, single sign-on is enabled.

  2. After authentication, the user now requests access to services hosted by another service provider in the authentication domain.

  3. The service provider sends a lookup query to the Discovery Service.

    Information used by a client to contact Discovery Service is culled from the authentication statement.

  4. The Discovery Service returns a discovery lookup response to the service provider.

    The lookup response contains the resource offering (defining an association between a piece of identity data and the service instance that provides access to it) for the user’s Personal Profile Service.

  5. The service provider then sends a query (using the Data Services Template Specification) to the Personal Profile Service instance.

    The required authentication mechanism specified in the Personal Profile Service resource offering must be followed.

  6. The Personal Profile Service instance returns a Data Services Template response after collecting all required data.

    The Personal Profile Service authenticates and validates authorization, or policy, or both for the requested user and service provider. If user interaction is required for some attributes, the Interaction Service will be invoked to query the user for consents or for attribute values.

  7. The service provider processes the Personal Profile Service response and renders HTML pages based on the original request and user authorization.

    A users’ actual account information is not exchanged during federation. Thus, the identifier displayed on each provider site will be based on the local identity profile.