- Describe auth via HTML forms.
- treat form page as protected resource.
- access gateway acts as proxy
- auto-submit form-fill
- describe challenges:
- finding the form
- what to do on form failure and reprompt.
- Stuff credentials in HTTP header.
- aka identity injection, header injection
- broad term.
- instead of passing credentials, make systems trust each other.
- application system trusts authentication system.
- gets around passing credentials
- gets around disconnected user bases
- Identity provider (IDP)
- Service provider (SP)
- User hits SP.
- SP configuration 302 redirect to IDP.
- User hits IDP with SAML request in query string.
- IDP verifies credentials if no current session.
- Valid credentials generate 302 redirect back to SP with SAML assertion.
- In our case for email, ID and X.509 signature.
- More complex assertion data for other systems / applications.
- No direct communication between IDP and SP. All in POST requests.
- Access Manager uses this.
- User connects to proxy.
- Proxy redirects to ESP (Embedded Service Provider on proxy server).
- ESP redirects to ISP.
- On success, ISP redirects to ESP with SAML artifact.
- User connects to ESP.
- ESP makes SOAP call to ISP using artifact.
- IDP returns assertion back to ESP.
- User is redirected to proxy and allowed to continue.
- IDP initiated POST method.
- Needs transit site ID and URL
- IDP initiated POST/Artifact method.
- Is a proprietary "standard" by Microsoft.
- Is a variant of SAML, but kinda different.