SAML 2.0 Integration Pattern BTB-Direct
(Standard Integration Pattern)
BTB-Direct is the standard integration pattern and is used for regular security requirements. It is available for services inside and outside the Federal Administration network.SAML 2.0 Integration
The figure below illustrates in simplified form the flow and the components involved when a user who is not yet authenticated accesses a web application. The HTTP requests travel directly between the user’s browser and the application. eIAM is used solely for authenticating the user and as a provider of identities, authorization roles, and user attributes. The individual steps are described in the table below.-
- Overview Messages Authentication for an externally hosted application
Legend:
This symbol marks requests and responses that should/must be signed (more information under:
Further requirements SAML 2.0)
This symbol marks requests and responses that should/must be signed (more information under:
Further requirements SAML 2.0)
| No. | Action | Description |
|---|---|---|
| 1 | User access to the external web application | The user accesses the external application via a web browser. The external application checks access authorization and determines that prior authorization is required. |
| 2 | AuthnRequest from the application to the eIAM Trustbroker (eIAM BTB) | The external application creates a signed SAML 2.0 AuthnRequest addressed to the eIAM Trustbroker and sends it as a self-submitting form directly to the user’s web browser. The user’s browser automatically submits the form to the eIAM Trustbroker via browser POST using JavaScript. |
| 3 | Home Realm Discovery (HRD) / Login context | The eIAM Trustbroker performs a “Home Realm Discovery” and displays the IdPs according to the ordered login context (eGOV or Federal context plus sector IdP). |
| 4 | Redirect (SAML AuthnRequest) from the eIAM BTB to the selected IdP | The eIAM Trustbroker creates a signed SAML 2.0 AuthnRequest addressed to the IdP and sends it as a self-submitting form to the user’s web browser. The user’s browser automatically submits the form to the IdP via browser POST using JavaScript. |
| 5 | Authentication at the IdP | The user is authenticated using an authentication method supported by the IdP. Depending on the method, authentication occurs with user interaction (e.g., AccessApp, password) or without user interaction (e.g., Active Directory Kerberos, existing session at the IdP). |
| 6 | SAML) Response from the IdP to the eIAM Trustbroker | The IdP creates a SAML 2.0 Response for the eIAM Trustbroker. The response contains a signed SAML assertion (the entire SAML message is also signed) with statements (claims) about the subject and the subject’s attributes. The SAML response is sent to the user’s web browser as a self-submitting form. |
| 7 | Attribute query in eIAM AM | The eIAM Trustbroker verifies the validity of the IdP’s SAML assertion. In addition to the attributes provided by the IdP, the eIAM Trustbroker retrieves additional identity information in eIAM IDM, which is made available as attributes. When eIAM Access Management is used, the Trustbroker determines at runtime the user attributes required for Access Management in eIAM Access Management (a component of eIAM). The user is looked up via their identity reference pointing to the IdP to determine the user’s eIAM account. Subsequently, the user is searched for via their identity reference in a specific or in all Access Clients. |
| 8 | Aggregation of attributes | The eIAM Trustbroker aggregates the attributes from the IdP with the attributes obtained from the query in the eIAM Root Client (and the eIAM Access Client when using eIAM AM). |
| 9 | SAML Response from the eIAM BTB to the external application | The eIAM Trustbroker creates a SAML 2.0 Response with a signed assertion (the entire SAML message is also signed) addressed to the external application and sends it as a self-submitting form to the user’s web browser. The user’s browser automatically submits the form to the external application via browser POST using JavaScript. |
| 10 | Authentication and authorization on the external application | The external application checks the validity of the eIAM Trustbroker’s SAML assertion, authorizes the user for the resource (among other things based on the information in the SAML token), and, if successful, creates a session with the user that is tracked via cookie. The user’s web browser is redirected either to a predefined URL in the external application or to the URL originally requested by the user (in request 1), which is visible in the Relay State. |