WebLogic Security Service Architecture 5-13 ■ HTTP POST - The Identity Provider sends the authentication response, which contains the assertion, to the users browser. The authentication response is transmitted to the Service Provider via an HTTP POST message. ■ HTTP Artifact - The Identity Provider sends an authentication response, which contains a SAML artifact, to the users browser. The SAML artifact contains a pointer to the assertion, which is handled by the Identity Providers Artifact Resolution Service ARS. The authentication response is transmitted to the Service Provider via an HTTP redirect message.When the Service Provider receives the response, it sends an artifact resolution request to the Identity Providers ARS to obtain the assertion. The ACS validates the assertion, extracts the identity information from that assertion, and maps that identity to a subject in the local security realm. 7. The ACS sends an HTTP redirect message to the browser, passing a cookie containing a session ID and enabling the browser to access the requested resource. The WebLogic Security Service performs an authorization check to determine whether the browser may access the requested resource. If the authorization check succeeds, access to the resource is granted.

5.2.2.2 Identity Provider Initiated Single Sign-On

WebLogic Server also supports the scenario in which a web single sign-on session is initiated by an Identity Provider. In this scenario, a user is authenticated by an Identity Provider and issues a request on a resource that is hosted by a Service Provider. The Identity Provider initiates the SSO session by sending an unsolicited authentication response to the Service Provider. When the Service Provider receives the authentication response, the Service Provider extracts the identity of the user from the assertion, maps that identity to a local subject, and performs an authorization check on the requested resource. If the authorization check succeeds, access is granted. Figure 5–10 shows the flow of execution in a typical Identity Provider initiated SSO session. Figure 5–10 Identity Provider Initiated Single Sign-On Note the following callouts in Figure 5–10 showing the flow of execution:

1. The user is presented with a login web application hosted by an Identity Provider

that authenticates the user. The Identity Provider challenges the user for his or her credentials.

2. The user provides his or her username and password to the Identity Provider,

which completes the authentication process. 5-14 Understanding Security for Oracle WebLogic Server The user issues a request on a resource that is hosted by a Service Provider. 3. The Single Sign-On Service hosted by the Identity Provider sends an unsolicited authentication response to the Service Provider to the Service Providers Assertion Consumer Service ACS. Regardless of how the SSO session is initiated, the Identity Provider uses the same bindings as described in Section 5.2.2.1, Service Provider Initiated Single Sign-On . 4. The ACS validates the assertion, extracts the identity information, and maps that identity to a subject in the local security realm. The ACS sends an HTTP redirect message to the browser, passing a cookie containing a session ID and enabling the browser to access the requested resource. 5. The WebLogic Security Service performs an authorization check to determine whether the browser may access the requested resource. If the authorization check succeeds, access to the resource is granted.

5.2.3 Desktop SSO Process