Within the IdP, a profile workflow is a Webflow that handles a particular protocol/profile request (e.g., SAML 2 SSO or SAML 1 Attribute Query). Within the profile flow, various subflows may be run that carry out reusable tasks like authentication, attribute resolution, etc. These subflows are generally described in their own sections of the top level design.
The following describes the flow for each profile including the steps that make it up and what they do:
- SAML 1.1 Browser SSO
- 6.2 SAML 1 Attribute Query
- 6.3 SAML 1 Artifact Resolution
- 6.4 SAML 2 SP-Initiated SSO
- 6.5 SAML 2 IdP-Initiated SSO
- 6.6 SAML 2 Attribute Query
- 6.7 SAML 2 Artifact Resolution
- 6.8 Constrained Web Service SSO
Relying Party Configuration Management
When a remote system makes a request of the identity provider, the IdP may wish to use a configuration tailored to the requester when responding. Such configurations are known as relying party configuration, for consistency with V2 terminology and configuration.
Relying Party Configuration
A relying party configuration (RPC) is a set of configuration options that apply to a given relying party. Every RPC contains, at least:
- a unique identifier that is used mostly for logging purposes; it doesn't necessarily correspond to any actual "name" of the RP
- a predicate that determines if the RPC applies for a given request
- a set of profile configurations
The profile configurations indicate whether a particular communication profile is enabled for use with the relying party and any special configuration options for that profile. Example communication profiles would be SAML 1 attribute queries, SAML 2 SSO requests, etc.
Profile configurations also carry a SecurityConfiguration that supply relevent security settings such as algorithms, credentials, and so forth.
Relying Party Configuration Resolver
The IdP component responsible for keeping track of, and selecting the appropriate, RPC for a given request is the Relying Party Configuration Resolver.
The RPC for a request is selected by iterating through an ordered list of registered RPCs and evaluating the current ProfileRequestContext against the RPC's predicate. The first RPC with a predicate to return an affirmative result is the RPC that's used for the request.
In addition, the resolver stores a special RPC that is used when the IdP deems a particular requester to be "anonymous". This usually occurs when the request does not identify the requester or the identity can not be verified.