...
- Authenticate via X.509.
- Permit access based on identity? If so, return ALLOW; otherwise continue.
- Consume all pushed SAML assertions bound to the certificate at the well-known certificate extension.
- Permit access based on pushed attributes? If so, return ALLOW; otherwise continue.
- Pull attributes based on Subject Information Access (SIA) and Subject Alt Name extensions? If so, skip to step 9; otherwise continue.
- Pull attributes based on bound SAML? If so, skip to step 9; otherwise continue.
- Pull attributes based on Classic GridShib? If so, skip to step 9; otherwise continue.
- Return DENY.
- Query for attributes. Consume all returned SAML assertions.
- Permit access based on combined pushed and pulled attributes? If so, return ALLOW; otherwise return DENY.
Here's more detail for steps 5, 6, and 7.
...