Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Profile Handling and Relying Party Configuration Management

Profile Handling

The profile workflows are built using Spring WebFlow, so it's important to understand the basics of WebFlow flows before proceeding.

Within the IdP, a profile workflow is a Webflow flow that responds to a particular protocol profile request (e.g., SAML 2 SSO or SAML 1 Attribute Query).

The following describes the flow for each profile including the steps that make it up and what they do:

Relying Party Configuration Management

When a relying party makes a request of the identity provider, the IdP may wish to use a configuration tailored to the requester when responding. Such configurations are known as relying party configuration.

Relying Party Configuration

A relying party configuration (RPC) is a set of configuration options that apply to a given relying party. Every RPC contains, at least:

  • a unique, within the IdP, identifier that is used mostly for logging purposes
  • criteria that determines if the RPC applies for a given request
  • a set of profile configurations

The profile configurations indicate whether a particular communication profile is enabled for use with the relying party and any special configuration options for that profile. Example communication profiles would be SAML 1 attribute queries, SAML 2 SSO requests, and ADFS v1 authentication request.

Relying Party Configuration Resolver

The IdP component responsible for keeping track of, and selecting the appropriate, RPC for a given request is the Relying Party Configuration Resolver.

The RPC for a request is selected by iterating through the ordered list of registered RPCs and evaluating the current profile request context against the RPC's criteria. The first RPC with a criteria to return an affirmative result is the RPC that's used for the request.

In addition, the resolver stores a special RPC that is used when the IdP deems a particular requester to be "anonymous". This usually occurs when the request does not identify the requester or the identity can not be verified.

  • No labels