Netegrity Use-Cases for SAML 2.0 F2F

1
Netegrity Use-Cases for SAML 2.0 F2F

• September 4, 2003

2
Use-Case 1 Cross-Enterprise Login long-lived
pseudonymous subjects with attributes

• Principal authenticates at the IdP and receives
  assertion
• with authentication and attribute information
  from the AP.
• 2. Principal is redirected or navigates to SP.
• 3. Principal presents assertion with auth and
  attribute information to SP.
• 4. SP authenticates principal against the
  assertion and provides appropriate access to
  services based upon attribute values
• found in the assertion.

3
Notes on Use Case 1
1. IdP should be able to provide both
authentication and attributes for users. This
models the fact that many IdPs are backed by an
LDAP user store which holds credentials and
attributes. 2. Given an SP, an IdP should be
able to determine the attribute names (and
values) to be transferred to the SP. 3.
Federation for a user registered at the IdP is
achieved without replicating user entries in the
SP user store. Instead, classes of users are
recognized by the SP based upon their
attributes. 4. IdP trusts and has business
agreements with an SP for attribute sharing.
These agreements include a description of the
attributes to be sent to the SP by the IdP
(using the AP).
4
Use Case 2 SSO Initiation Profile

• User accesses a secured resource at SP
• User is re-directed to an IdP
• User selects IdP by some means?
• User accesses Initiation Host Name URL at IdP
• IdP inititiates one of the existing SAML SSO
  Profiles

5
Notes on Use Case 2

• Certain amount of context information needs to be
  transferred from the SP to IdP
• Identification of the SP
• Request ID for this request
• URL for the original resource at SP
• Time at which request was made
• Arbitrary data which is to be relayed back