Periodically the GM provisions the group membership information into an LDAP directory that becomes the central attribute store for the CI. This attribute store is made available to other CI components, including the Credential Manager and various subcomponents of the authorization framework.
The Credential Manager issues an X.509 proxy credential \[RFC 3820\] signed by its [RFC 3820] signed by its X.509 end entity credential \[RFC 3280\[RFC 3280]. The proxy certificate contains a SAML assertion bound to a non-critical certificate extension. The SAML assertion contains user identity, authentication context and attributes, all used by the relying party for the purposes of access control. Wiki Markup
A client requests a back-end resource and presents the proxy certificate containing the SAML authorization token to a relying party (RP). The RP authenticates the client, consumes the X.509-bound SAML token, and populates a local security context with the resulting security information.