Table of Contents
Advertisement
provider names for the Liberty PP: sn and PP: ph# attributes are lastname and
phonenumber, respectively. (See
Provider," on page
c. The Identity Server uses the PP service to look up the values for the user's PP: sn and PP:
ph# attributes.
The Identity Server recognizes that the values for the user's PP: sn and PP: ph# attributes
are Jones and 555-1212, respectively.
3. The Identity Server sends an HTTP Redirect with an artifact.
The Identity Server now has the information to generate a SAML assertion. The Identity Server
sends an HTTP redirect containing the artifact back to the browser. The redirect looks
something like http://xyz.com/auth/afct?TARGET=http://xyz.com/index.html&SAMLArtifact
=<<artifact>>
4. The remote SAML server requests the assertion.
The HTTP redirect results in the browser sending the artifact to the SAML server at xyz.com.
The SAML server at xyz.com requests the SAML assertion from the Identity Server.
5. The Identity Server sends the assertion to the remote SAML server.
The remote SAML server receives the artifact and looks up the assertion.The assertion is sent
to the SAML server at xyz.com in a SOAP envelope. The assertion contains the attributes
lastname=Jones and phonenumber=555-1212.
The user now has an authenticated session at xyz.com. The xyz.com SAML server redirects the
user's browser to http://xyz.com/index.html, which was referenced in the original HREF in
step 1.
C.7 SAML Service Provider Process Flow
The following illustration provides an example of the authentication process on the consumer side,
when a user clicks a link at the SAML service provider (xyz.com) in order to begin an authentication
session with an identity provider (such as abc.com). PP indicates a Personal Profile Service as
defined by the Liberty specification.
316 Novell Access Manager 3.1 SP1 Identity Server Guide
Section 5.4.3, "Selecting Attributes for a Trusted
155.)
Advertisement
Table of Contents
Troubleshooting
