Profile Handling and Relying Party Configuration Management
Within the IdP, a profile workflow is a Webflow flow that responds to a particular protocol profile request (e.g., SAML 2 SSO or SAML 1 Attribute Query).
The following describes the flow for each profile including the steps that make it up and what they do:
- 6.1 SAML 1 IdP-Initiated SSO
- 6.2 SAML 1 Attribute Query
- 6.3 SAML 1 Artifact Resolution
- 6.4 SAML 2 SP-Initiated SSO
- 6.5 SAML 2 IdP-Initiated SSO
- 6.6 SAML 2 Attribute Query
- 6.7 SAML 2 Artifact Resolution
- 6.8 Constrained Web Service SSO
Relying Party Configuration Management
When a relying party makes a request of the identity provider, the IdP may wish to use a configuration tailored to the requester when responding. Such configurations are known as relying party configuration.
Relying Party Configuration
A relying party configuration (RPC) is a set of configuration options that apply to a given relying party. Every RPC contains, at least:
- a unique, within the IdP, identifier that is used mostly for logging purposes
- criteria that determines if the RPC applies for a given request
- a set of profile configurations
The profile configurations indicate whether a particular communication profile is enabled for use with the relying party and any special configuration options for that profile. Example communication profiles would be SAML 1 attribute queries, SAML 2 SSO requests, and ADFS v1 authentication request.
Relying Party Configuration Resolver
The IdP component responsible for keeping track of, and selecting the appropriate, RPC for a given request is the Relying Party Configuration Resolver.
The RPC for a request is selected by iterating through the ordered list of registered RPCs and evaluating the current profile request context against the RPC's criteria. The first RPC with a criteria to return an affirmative result is the RPC that's used for the request.
In addition, the resolver stores a special RPC that is used when the IdP deems a particular requester to be "anonymous". This usually occurs when the request does not identify the requester or the identity can not be verified.