SAML 2.0 Integrationpattern STS-PEP (Default)
The STS-PEP is the default pattern and can be used by regular security needs and is available for services in and outside BV-Net, also from the internet.
SAML 2.0 Integration
The following figure shows the simplified process and the components involved when an unauthenticated user accesses a web application. The application is not protected by the eIAM web component. The HTTP requests travel directly between the user's browser and the application without passing through the eIAM-Web PEP. eIAM is only used for authenticating the user and as a provider for authorisation roles and user attributes. The individual steps are described below.-
- Overview Messages Authentication for an externally hosted application
| No. | Action | Description |
|---|---|---|
| 1 | User access to the external web application | The user accesses the external application via web browser. The external application checks the access authorisation and determines that prior authorisation is required; |
| 2 | SAML AuthnRequest to user's web browser | The external application issues a signed SAML 2.0 AuthnRequest to the eIAM-Web PEP and sends it as a self-transmitting form to the user's web browser. |
| 3 | SAML AuthnRequest to eIAM-Web PEP | The user's browser automatically sends the form to the eIAM-Web PEP via browser POST using Javascript. |
| 4 | SAML AuthnRequest to user's web browser | The eIAM-Web PEP checks whether a session already exists with the user. If a session with the user already exists on the eIAM-Web PEP, it continues directly with point 13. A SAML response is issued by the eIAM-Web PEP and sent to the external application via the user's browser. If no session exists on the eIAM-Web PEP with the user, the eIAM-Web PEP issues a signed SAML 2.0 AuthnRequest to the eIAM Trustbroker and sends it as a self-transmitting form to the user's web browser; |
| 5 | SAML AuthnRequest to the eIAM Trustbroker | The user's browser automatically sends the form to the eIAM Trustbroker via browser POST using Javascript. |
| Home Realm Discovery (HRD) | The eIAM Trustbroker performs a "Home Realm Discovery" and searches for IdPs that are trusted by the external application. These trust relationships were defined in the integration phase of the application on the eIAM Trustbroker. If the external application trusts multiple IdPs per zone (Federal Administration network/Internet), the user is shown a selection of IdPs and can choose one of them. If the external application trusts only one IdP per zone (Federal Administration network/Internet), there is no interaction with the user; | |
| 6 | SAML AuthnRequest to IdP | The eIAM Trustbroker issues a signed SAML 2.0 AuthnRequest to the IdP and sends it as a self-transmitting form to the user's web browser. |
| 7 | SAML AuthnRequest to the IdP | The user's browser automatically sends the form to the IdP via browser POST using Javascript. |
| 8 | Authentication to IdP | The user is authenticated by means of an authentication method supported by the IdP. Depending on the authentication means, authentication is performed with user interaction (e.g. password, SMS code) or without user interaction (e.g. Active Directory Kerberos); |
| 9 | SAML Response to eIAM Trustbroker | The IdP issues a SAML 2.0 Response to the eIAM Trustbroker. The response contains a signed SAML assertion with statements (claims) about the subject and attributes of the subject. The SAML response is sent to the user's web browser as a self-submitting form. |
| 10 | SAML Response to eIAM Trustbroker Attribute Query in AP (eIAM-AM) | The user's browser automatically sends the form to the eIAM Trustbroker via Browser POST using Javascript. The eIAM Trustbroker checks the validity of the SAML assertion of the IdP. The eIAM Trustbroker determines the user's attributes in the eIAM-AM (access management component of eIAM) which are necessary for access management at runtime. The user is first searched for by the eIAM Trustbroker in the eIAM-Supermandant via his identity reference pointing to the IdP. This determines the user's eIAM account. The user is then searched for via his identity reference pointing to the eIAM account in the supermandant in a specific or in all access clients (depending on whether the application called up is the specialist application of a specific office or a client-capable platform). The eIAM Trustbroker aggregates the attributes from the IdP with the attributes from the query in the eIAM-AM. |
| 11 | The eIAM Trustbroker issues a SAML 2.0 response with signed assertion for the attention of the eIAM-Web PEP and sends it as a self-submitting form to the user's web browser. | |
| 12 | SAML Response to eIAM-Web PEP | The user's browser automatically sends the form to the eIAM-Web PEP via Browser POST using Javascript. |
| 13 | SAML Response to the eIAM-Web PEP | The eIAM-Web PEP issues a SAML 2.0 Response with signed assertion to the external application and sends it as a self-transmitting form to the user's web browser. |
| 14 | SAML response to the external application | The user's browser automatically sends the form to the external application via browser POST using Javascript. |
| 15 | Authentication and authorisation on external application | The external application checks the validity of the SAML 2.0 assertion of the eIAM-Web PEP. Checks the user's authorisation to the resource and, if successful, creates a session with the user, which is tracked by cookie. Redirects the user's web browser either to a predefined URL in the external application or to the URL originally requested by the user (in Request 1), which is visible in the relay state. |