dispatcher

Dispatcher

Conditional Expression

Static Request Filter

Attribute Filter

Portal

12

4

3,6

5

78

9

10

DNS

Hello User Sample

(Gateway)

Dispatcher

Conditional Expression

Static Request Filter

Extract Filter

MediaWiki

1

2 4

3,

5

6

9

DNS

Media Wiki Hosted Sample

10

8

(Gateway)

7

Gateway

OpenAMOpenAM Agent

WordPress

2 1

3

6

4

5

8

7

9

Simple SSSO with WordPress and MediaWiki

1. Browse to MediaWiki

Browser Gateway WordPress MediaWiki

3. MediaWiki login page returned

5. WordPress login page

9. POST MediaWiki login form with stored credentials

2. Pass through request

10. MediaWiki home page

4. Redirect to WordPress login

6. User submits credentials

7. Pass through and record

8. WordPress home page

HR ApplicationGateway FlatFile

Browser

1. http://hr.company.com

2. Pass request through

4. Intercepts App redirect, fetches credentials

3. No session, redirect to login

5. POST App login form

6. Validate login, redirect to HR


Password replay sample hr application and flat file db (sso1)

Figure 1

Hello UserGatewayBrowser

1.

HelloUser Sample Application Flow

DNS

2.

4.

3.

6.

5.

8.

7.

9.

10.

11.

12.

Password replay with Access Management integration (sso2)


2. Agent Redirects User to AM Login

Browser AccessManager Agent Gateway HR App

3. AM Logs in user, redirects back to HR App

5. No App session


7. Redirect to HR



Figure 2

SP initiated SAML2 Post Profile SSO-2 (ssoFedSP)Alternative style


BrowserIDP Gateway HR App


4. Intercepts login request, send SAML2 AuthN Request



Figure 2


8. Redirect to HR App

6. SAML2 POST AuthN Statement

IDP initiated SAML2 Post Profile SSO (ssoFedIDP)

1. Authenticate User

Browser IDP Gateway HR App

2. SAML2 POST AuthN


Figure 4


3. Post App login form

Standards Based AM Plugin/Agent (ssoFedAgent)


BrowserAccess

ManagerGateway HR App


5. Intercepts login request, send SAML2 AuthN request


6. SAML2 POST Profile AuthN


Figure 5



7. Authenticate user

IdentityGateway

Agent

Legacy Unsupported Custom

Agent Agent

OpenAM

Payroll HR

Agent Agent

OpenAM


HR Payroll

Limited SSO

IdentityGateway

Agent


Agent Agent

OpenAM

Payroll HR

SSO

Identity Provider SAML2

Ringtones

Federation Gateway

Apps

Federation Gateway

Accessories

Federation Gateway

How SSO Works

• Traffic to Legacy Application is routed through the Gateway.

• Gateway is deployed as a web app protected by the OpenAM agent.

• OpenAM agent is configured to pass user identifying headers to the Gateway.

• Gateway filters are configured to intercept the Legacy application login pages.

• When a login or timeout page is processed, the user is logged in with credentials passed from the OpenAM agent or by looking them up in an external database or vault.

• Gateway optionally manages, filters, or transforms, cookies, headers, and general application content.

OpenAM

Legacy

Identity Gateway

Agent

How Federation Works

• Traffic to Legacy Application is routed through the Gateway.

• Gateway is deployed as a web app or standalone java application.

• Gateway is configured as a SAML2 endpoint in a Circle of Trust with the WAM.

• Gateway filters are configured to recognize Legacy application login pages.

• When the Gateway sees a login or timeout page, an SP initiated SAML2 AuthN request is sent to the WAM.

• Upon receiving and processing the assertion, the Gateway logs the user in with credentials from the assertion or by looking them up in an external database or vault.

• Gateway optionally manages, filters, or transforms, cookies, headers, and general application content.

Web Access Management

SAML2

Legacy

FederationIdentity Gateway

Proxy Agent

Payroll

Agent

Portal

OpenAM Services

HR

Identity Gateway

Legacy

Custom

OpenAM Single Sign-on

Authentication Session

Authorization Auditing

Agent

Portal

Fedlet

CRM.com

OpenAM Federated SSO

OpenAM Services

Liberty ID-FF SAML2

SAML1 WS-Fed

Identity Gateway

Wiki.com

Federation Enabled 3rd Party Access Manager

dispatcher

Documents