The figure below illustrates the OpenIG Federation Gateway providing SAML2 endpoint features acting as Service Provider in an SP initiated single sign-on configuration. In this sample, company myHR is an outsourced provider of HR services and has started seeing increased demand for SAML2 support in their core application. The companies to which they outsource are refusing proprietary means of authentication and demanding the widely accepted SAML2 standard. myHR is not in a position to modify their application to support SAML2 nor do they have the time or money to integrate and deploy all of OpenAM. With OpenIG Federation Gateway, myHR deploys OpenIG in front of their HR application, configures it as a SAML2 endpoint for SP initiated SSO, and configures it to log users into the HR application upon successful verification of the SAML2 assertion from their customers.
-
The user accesses the HR application through a bookmark in the browser.
-
Federation Gateway inspects the request, no match is found for the HR application's login page so the request goes through.
-
HR application finds no HR session, sends a redirect to its login page.
-
Federation Gateway intercepts the redirect, finds a match for the login page, issues an SP initiated SSO SAML2 request to Company.com's IDP.
-
The IDP at Company.com receives the SAML2 AuthN request and authenticates the user.
-
After authenticating the user the IDP sends a SAML2 POST to OpenIG.
-
Federation Gateway validates the assertion and makes the assertion attributes available to the OpenIG login chain.
-
OpenIG login chain gets the user credentials and POSTs the login form to the application.
-
The HR application verifies the credentials and redirects to its home page.
