Web SSO SAML POST Profile
eTrust SiteMinder FSS also implements the Web Browser
SAML Post Profile, as defined by the SAML specification.
eTrust SiteMinder can be used both as a SAML producer
and SAML consumer.
1. The user visits a SAML producer site with information
about the requested resource at the SAML consumer
site attached to the URL.
2. Upon successful authentication, the SAML producer
site generates an HTML form containing a SAML
response which includes one or more SAML assertions.
The SAML producer site returns to the browser the
signed SAML response over HTTP/SSL. (Note: In this
profile, SAML assertions must have a short lifespan or
3. The browser posts the HTML form containing the SAML
response to the SAML consumer site (possibly using
transmitted in plain text, or in the case of SAML 2.0,
they can also be encrypted). The consumer site needs
to save state (to ensure that there are no duplicate
4. The SAML consumer site processes the SAML assertion
and sends an HTTP response to the browser that allows
or denies access to the requested resource at the SAML
eTrust SiteMinder supports both SAML Artifact profile
and SAML Post Profile and Administrators can implement
the Artifact profile and post profile concurrently, based on
their partners requirements.
Single Log-Out (SLO)
eTrust SiteMinder FSS provides the capability to single
log-out across federated partner sites through the
implementation of SAML 2.0 Single Log-Out profile.
This global log-out service can be initiated via user browser
from a link at any Service Provider site or Identity Provider
site and the associated IdP federation deployment handles
all log-out requests and responses for participating sites.
Below is an example SLO process.
1. The user clicks on a log-out link at SP1 site.
2. SP1 then sends an SLO request to the IdP.
3. The Idp processes the request and send SLO requests to
other SPs, SP2 in this example.
4.SP2 logs the user out and returns an SLO response.
5. The IdP then sends an SLO response to SP1 and the user
is logged out globally.
SAML Attribute Services
eTrust SiteMinder FSS provides SAML attribute request
and response services through the implementation of the
SAML 2.0 specifications. FSS can act as an Attribute
Authority that processes attribute queries and supplies
an assertion with attributes for a user based on the user
NameID and it can also act as a SAML Requester that
requests a SAML assertion with attributes for a user by
using their NameID.
Attribute assertions can be used to pass user identity
information for authorization, personalization, or
provisioning purposes. It is worth noting that the SSO
assertion can also be configured to pass attribute
information as part of the SSO process, but the attribute
service can be used outside of the SSO process. In addition
the attribute authority could be a totally separate entity
from the Identity Provider that authenticates the user.
Figure 3. Web Browser SAML Post Profile.
Figure 4. Single Log-Out.