A Combined SAML-X.509 Architecture
Architectural highlights include:
- Lightweight SAML Web Browser SSO on the front channel
- IdP Proxy issues X.509-bound SAML authorization tokens on the back channel
- 100% push technology eliminates heavyweight query and SOAP
- Centralized attribute and policy stores
...
Identity Management components are shown in purple in the diagram.
...
SAML Web Browser SSO
A browser user makes an authentication request to a SAML Identity Provider (IdP). The IdP authenticates the user and issues a SAML authentication token containing 1) a persistent, non-reassignable identifier, and 2) an authentication context (i.e., a representation of the act of authentication at the IdP). The browser user presents the authentication token to a web portal (or other cyberinfrastructure) protected by a SAML Service Provider (SP). The SP validates the authentication token, consumes the SAML, and populates a local security context with the resulting security information.
...