dispatcher
DESCRIPTION
Hello User Sample. (Gateway). Dispatcher. Conditional Expression. 10. 3,6. Attribute Filter. 2. 1. Static Request Filter. 4. 8. 7. DNS. Portal. 5. 9. Media Wiki Hosted Sample. (Gateway). Dispatcher. Conditional Expression. 3,. 10. Extract Filter. 6. 1. - PowerPoint PPT PresentationTRANSCRIPT
Dispatcher
Conditional Expression
Static Request Filter
Attribute Filter
Portal
12
4
3,6
5
78
9
10
DNS
Hello User Sample
(Gateway)
Dispatcher
Conditional Expression
Static Request Filter
Extract Filter
MediaWiki
1
2 4
3,
5
6
9
DNS
Media Wiki Hosted Sample
10
8
(Gateway)
7
Gateway
OpenAMOpenAM Agent
WordPress
2 1
3
6
4
5
8
7
9
Simple SSSO with WordPress and MediaWiki
1. Browse to MediaWiki
Browser Gateway WordPress MediaWiki
3. MediaWiki login page returned
5. WordPress login page
9. POST MediaWiki login form with stored credentials
2. Pass through request
10. MediaWiki home page
4. Redirect to WordPress login
6. User submits credentials
7. Pass through and record
8. WordPress home page
HR ApplicationGateway FlatFile
Browser
1. http://hr.company.com
2. Pass request through
4. Intercepts App redirect, fetches credentials
3. No session, redirect to login
5. POST App login form
6. Validate login, redirect to HR
7. http://hr.company.com
Password replay sample hr application and flat file db (sso1)
Figure 1
Hello UserGatewayBrowser
1.
HelloUser Sample Application Flow
DNS
2.
4.
3.
6.
5.
8.
7.
9.
10.
11.
12.
Password replay with Access Management integration (sso2)
1. http://hr.company.com
2. Agent Redirects User to AM Login
Browser AccessManager Agent Gateway HR App
3. AM Logs in user, redirects back to HR App
5. No App session
6. POST App login form
7. Redirect to HR
4. Pass through request
8. http://hr.company.com
Figure 2
SP initiated SAML2 Post Profile SSO-2 (ssoFedSP)Alternative style
1. http://hr.company.com
BrowserIDP Gateway HR App
3. No session, redirect to login
4. Intercepts login request, send SAML2 AuthN Request
2. Pass through request
9. http://hr.company.com
Figure 2
7. POST App login form
8. Redirect to HR App
6. SAML2 POST AuthN Statement
IDP initiated SAML2 Post Profile SSO (ssoFedIDP)
1. Authenticate User
Browser IDP Gateway HR App
2. SAML2 POST AuthN
8. http://hr.company.com
Figure 4
7. Redirect to HR App
3. Post App login form
Standards Based AM Plugin/Agent (ssoFedAgent)
1. http://hr.company.com
BrowserAccess
ManagerGateway HR App
4. No session, redirect to login
5. Intercepts login request, send SAML2 AuthN request
3. Pass through request
6. SAML2 POST Profile AuthN
8. http://hr.company.com
Figure 5
7. POST App login form
7. Redirect to HR App
7. Authenticate user
IdentityGateway
Agent
Legacy Unsupported Custom
Agent Agent
OpenAM
Payroll HR
Agent Agent
OpenAM
Legacy Unsupported Custom
HR Payroll
Limited SSO
IdentityGateway
Agent
Legacy Unsupported Custom
Agent Agent
OpenAM
Payroll HR
SSO
Identity Provider SAML2
Ringtones
Federation Gateway
Apps
Federation Gateway
Accessories
Federation Gateway
How SSO Works
• Traffic to Legacy Application is routed through the Gateway.
• Gateway is deployed as a web app protected by the OpenAM agent.
• OpenAM agent is configured to pass user identifying headers to the Gateway.
• Gateway filters are configured to intercept the Legacy application login pages.
• When a login or timeout page is processed, the user is logged in with credentials passed from the OpenAM agent or by looking them up in an external database or vault.
• Gateway optionally manages, filters, or transforms, cookies, headers, and general application content.
OpenAM
Legacy
Identity Gateway
Agent
How Federation Works
• Traffic to Legacy Application is routed through the Gateway.
• Gateway is deployed as a web app or standalone java application.
• Gateway is configured as a SAML2 endpoint in a Circle of Trust with the WAM.
• Gateway filters are configured to recognize Legacy application login pages.
• When the Gateway sees a login or timeout page, an SP initiated SAML2 AuthN request is sent to the WAM.
• Upon receiving and processing the assertion, the Gateway logs the user in with credentials from the assertion or by looking them up in an external database or vault.
• Gateway optionally manages, filters, or transforms, cookies, headers, and general application content.
Web Access Management
SAML2
Legacy
FederationIdentity Gateway
Proxy Agent
Payroll
Agent
Portal
OpenAM Services
HR
Identity Gateway
Legacy
Custom
OpenAM Single Sign-on
Authentication Session
Authorization Auditing
Agent
Portal
Fedlet
CRM.com
OpenAM Federated SSO
OpenAM Services
Liberty ID-FF SAML2
SAML1 WS-Fed
Identity Gateway
Wiki.com
Federation Enabled 3rd Party Access Manager