Federation Management Protocols Flow

The following figure provides a high-level view of the system flow between various parties in a Liberty web services environment. A user agent, Service Provider, Identity Provider, and Personal Profile Service must be present in the environment. The figure and text illustrate the use of both Identity Federation Framework and Identity Federation Web Services Framework.

In this example:

• The web browser represents a user agent or a device used by an enterprise user.

• A Service Provider acts as a web services consumer (WSC) to invoke the web service on behalf of the user. The Service Provider relies on the Identity Provider authentication for single sign-on.

• The Identity Provider acts an authentication provider by authenticating the user and registering the user. The Identity Provider also acts a trusted authority, issuing security tokens through the Discovery Server.

• The Web Services provider serves requests from web services clients such as a Personal Profile Service provider.

Figure 5–3 Identity Federation Protocols Flow

When a user logs into a circle of trust, the following events occur.

1. The Service Provider initiates the AuthnRequest.

   The request uses a browser artifact profile to contact the Single Sign-On service at the Identity Provider.

2. At the Identity Provider, the Single Sign-On service presents a login page to the user.

   The user enters credentials such as username and password.

3. Upon successful authentication, at the Identity Provider the Single Sign-On service sends an artifact to the Assertion Consumer service at the Service Provider.

4. The Identity Provider sends a SAML SOAP response to the Service Provider by keeping an authentication SML assertion in the response.

5. The Service Provider verifies the XML assertion and completes the Single Sign-On process.

   The assertion contains an attribute statement containing the Discover Service resource offering. The resource offering will be used as bootstrap information to invoke the Web Services Framework.

6. The user’s browser, Service Provider and Identity Provider complete the Federation Single-Sign-On process.

   An assertion with an attribute statement containing the Discovery Service resource offering is included in the ID-FF AuthnResponse. This information can be used by any client to contact Discovery Service.

7. The user’s browser requests access to services hosted on the Web Service Consumer.

   This requires contacting user’s Personal Profile service.

8. The Web Service Consumer sends a discovery lookup query to the Discovery Service.

   The Web Service Consumer determines user’s discovery resource offering from the bootstrap Assertion obtained earlier, then sends a discovery lookup query to the Discovery Service to determine where the user’s Personal Profile instance is hosted.

9. The Discovery service returns a discovery lookup response to the Web Service Consumer.

   The lookup response contains the resource offering for the user’s Personal Profile Service instance.

10. The Web Service Consumer sends a web services query that uses the protocol defined by the DataServiceTemplate. The web services query goes to the SOAP end point of the Personal Profile Service instance.

    The query asks for the user’s personal profile attributes, such as home phone number. The required authentication mechanism specified in the Personal Profile Service resource offering must be followed.

11. The Personal Profile Service instance authenticates and validates authorization or policy, or both, for the requested user or Web Service Consumer, or for both.

    If user interaction is required for some attributes, the Interaction Service will be invoked to query the user for consents or for attribute values. The Personal Profile Service instance returns a Data Services Template response to the Web Service Consumer after collecting all required data.

12. The Web Service Consumer processes the Personal Profile Service response, and then renders service pages containing the colleague’s contact information to the user’s browser.

For detailed information about all the components that are involved in Federation Management, see the Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide.