The figure below illustrates the Federation Gateway as a standards based replacement for OpenAM policy agents.
-
The user accesses an internal Payroll application.
-
Federation Gateway inspects the request, no match is found for the Payroll application's login page so the request goes through.
-
Payroll application finds no Payroll session, sends a redirect to its login page.
-
Federation Gateway intercepts the redirect, finds a match for the login page, issues an SP initiated SSO SAML2 request to OpenAM at Company.com.
-
OpenAM at Company.com receives the SAML2 AuthN and authenticates the user.
-
After authenticating the user OpenAM sends a SAML2 POST to OpenIG.
-
Federation Gateway validates the assertion and makes the assertion attributes available to the OpenIG login chain.
-
OpenIG login chain gets the user credentials and POSTs the login form to the application.
-
The Payroll application verifies the credentials and redirects to its home page.
