test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

Web Browser Artifact Profile

The Web Browser Artifact Profile defines interaction between three parties: a user equipped with a web browser, an authority site, and a trusted partner site. The SOAP communication should be either Basic Authentication or Client Certificate Authentication over SSL. Note that XML signing is a stronger alternative.

  1. When an authenticated user attempts to access a trusted partner (generally by clicking a link), the user is directed to a transfer service at the authority site.

    In Access Manager, the transfer service is SAMLAwareServlet. The base of the transfer service URL is http(s)://access-manager-host.domain:port/deploy-uri/SAMLAwareServlet. The URL is appended with the location to which the user is requesting access (?TARGET=URL-of-destination).

  2. SAMLAwareServlet receives the information and compares the SAML module’s list of Trusted Partners against the user’s TARGET location.

    Only targets that are configured in the Trusted Partners attribute of the SAML module are accessible. For more information about this attribute, see Trusted Partners.

  3. Assuming the TARGET location was found in the list of Trusted Partners, SAMLAwareServlet looks for and validates the session token from the inbound request.

    Without a valid session token, Access Manager will not create an assertion.

  4. Assuming a valid session token, SAMLAwareServlet creates an artifact and a corresponding assertion.

    An artifact is carried as part of the URL and points to an assertion and its source. An artifact is not (and does not contain) security information. The assertion contains the security information. For more information, see SiteAttributeMapper and PartnerSiteAttributeMapper Interfaces.

    Note –

    The need to send an artifact rather than the assertion itself is dictated by the restrictions on URL size that are imposed by many web browsers.

  5. SAMLAwareServlet redirects the user’s browser to the Artifact Receiver URL with a query string that contains the artifact and the original TARGET location.

    Note –

    In Access Manager, the Artifact Receiver URL and SAMLAwareServlet are the same. Other SAML implementations might not integrate the two functions.

  6. At the Artifact Receiver URL, the artifact is extracted from the query string to locate the SOAP Receiver URL at the trusted partner site.

    The SAML API extracts the source ID from the artifact and uses it to locate the SOAP Receiver URL at the trusted partner site. For more information about the use of SOAP, see SAML SOAP Receiver.

  7. A SOAP query that contains the artifact is sent to the SOAP Receiver URL at the trusted partner site that is requesting the assertion to which the artifact points.

  8. The SOAP Receiver URL accepts the returned artifact query from the trusted partner site and responds by sending the correct assertion in a SOAP response.

  9. The assertion is processed, mapping the user account information from the trusted partner site to the target site’s user account.

    The user is either granted or denied access to the trusted partner site. If access is granted, a SSOToken is generated, a cookie is set to the browser, and the user is redirected to the TARGET location.

Figure 9–2 Web Browser Artifact Profile Interactions

Depicts the interactions in the Web Browser Artifact Profile

A sample has been provided to test the Web Browser Artifact Profile function. See SAML Samples for more information.