Universal Federation Architecture from CA

Web SSO SAML POST Profile

eTrust SiteMinder FSS also implements the Web Browser

SAML Post Profile, as defined by the SAML specification.

eTrust SiteMinder can be used both as a SAML producer

and SAML consumer.

1. The user visits a SAML producer site with information

about the requested resource at the SAML consumer

site attached to the URL.

2. Upon successful authentication, the SAML producer

site generates an HTML form containing a SAML

response which includes one or more SAML assertions.

The SAML producer site returns to the browser the

signed SAML response over HTTP/SSL. (Note: In this

profile, SAML assertions must have a short lifespan or

validity period.)

3. The browser posts the HTML form containing the SAML

response to the SAML consumer site (possibly using

JavaScript) over HTTP/SSL (SAML assertions are

transmitted in plain text, or in the case of SAML 2.0,

they can also be encrypted). The consumer site needs

to save state (to ensure that there are no duplicate

requests).

4. The SAML consumer site processes the SAML assertion

and sends an HTTP response to the browser that allows

or denies access to the requested resource at the SAML

consumer site.

eTrust SiteMinder supports both SAML Artifact profile

and SAML Post Profile and Administrators can implement

the Artifact profile and post profile concurrently, based on

their partners requirements.

Single Log-Out (SLO)

eTrust SiteMinder FSS provides the capability to single

log-out across federated partner sites through the

implementation of SAML 2.0 Single Log-Out profile.

This global log-out service can be initiated via user browser

from a link at any Service Provider site or Identity Provider

site and the associated IdP federation deployment handles

all log-out requests and responses for participating sites.

Below is an example SLO process.

1. The user clicks on a log-out link at SP1 site.

2. SP1 then sends an SLO request to the IdP.

3. The Idp processes the request and send SLO requests to

other SPs, SP2 in this example.

4.SP2 logs the user out and returns an SLO response.

5. The IdP then sends an SLO response to SP1 and the user

is logged out globally.

SAML Attribute Services

eTrust SiteMinder FSS provides SAML attribute request

and response services through the implementation of the

SAML 2.0 specifications. FSS can act as an Attribute

Authority that processes attribute queries and supplies

an assertion with attributes for a user based on the user

NameID and it can also act as a SAML Requester that

requests a SAML assertion with attributes for a user by

using their NameID.

Attribute assertions can be used to pass user identity

information for authorization, personalization, or

provisioning purposes. It is worth noting that the SSO

assertion can also be configured to pass attribute

information as part of the SSO process, but the attribute

service can be used outside of the SSO process. In addition

the attribute authority could be a totally separate entity

from the Identity Provider that authenticates the user.

Figure 3. Web Browser SAML Post Profile.

Figure 4. Single Log-Out.