OpenSSO Enterprise can be configured to use SAML v1.x to achieve interoperability between vendor platforms that provide SAML v1.x assertions. Assertions are issued by a SAML v1.x asserting authority (a platform or application that declares whether a subject has been authenticated into its system), and received by relying parties (partner sites defined by the authority as trusted). SAML v1.x authorities use different sources to configure the assertion information, including external data stores or assertions that have already been received and verified. SAML v1.x can be used to allow OpenSSO Enterprise to:
Authenticate users and access trusted partner sites without having to reauthenticate; in effect, single sign-on.
Act as a policy decision point (PDP), allowing external applications to access user authorization information for the purpose of granting or denying access to their resources. For example, employees of an organization can be allowed to order office supplies from suppliers if they are authorized to do so.
Act as both an attribute authority that allows trusted partner sites to query a subject’s attributes, and an authentication authority that allows trusted partner sites to query a subject’s authentication information.
Validate parties in different security domains for the purpose of performing business transactions.
Build Authentication, Authorization Decision, and Attribute Assertions using the SAML v1.x API.
Permit an XML-based digital signature signing and verifying functionality to be plugged in.
Although Liberty ID-FF (as described in Using the Liberty ID-FF) integrates aspects of the SAML v1.x specifications, its usage of SAML v1.x is independent of the SAML v1.x framework as described in this section.
Figure 11–4 illustrates how SAML v1.x interacts with the other components in OpenSSO Enterprise.