Information Technology Reference
In-Depth Information
2.
The interceptor may redirect the browser to a service called WAYF
(Where Are You From), which determines the appropriate Identity
Provider (IdP) for the user. However, the IdP can also be resolved using
a number of different mechanisms.
3.
The browser is then redirected to that Identity Provider. This usually
belongs to the user's “home organisation”, where they have been
provisioned and where their authentication credentials are stored.
4.
The Identity Provider challenges the user to provide the appropriate
authentication credentials for that organisation and receives those
credentials. This could again use any number of challenge/assertion
protocols.
5.
After successful authentication, a set of tokens is generated for this
session, and the browser is redirected back to the Service Provider with
a service token.
6.
The interceptor requests the Identity Provider to validate the service
token and queries for user attributes.
7.
The Identity Provider validates the service token and provides user
attribute information as per its attribute release policy.
8.
If the token is valid and the user's attributes also conform to the
application's specified requirements, the interceptor grants access to
the application.
As you can see, the federated access management model is virtually
identical to the local one in its general outline, with the only additional
feature being the WAYF service that resolves the correct Identity Provider to
use. Within a local context, every interceptor knows the location of the SSO
server, so there is no need for a specialised component to perform this
resolution function.
The main complexity in Shibboleth is the requirement to set up a Service
Provider capability at each business application node, which is a lot more
onerous than the equivalent simple CAS interceptor. Therefore, you
wouldn't want to use Shibboleth in preference to CAS unless you have a
legitimate requirement for federated identity
23
.
23
With the increasing popularity of cloud-based solutions, this could become a
common requirement very soon. Not every cloud-based system requires federated
identity, though. We cover this subtle point in a later discussion on Cloud Computing.
