...
SAML-based authentication workflow for patrons is depicted on the picture below:
Image I. SAML Authentication Workflow in Circulation Manager
(content provider does not use SAML)
Both the Circulation Manager and IdP should have their metadata registered with each other. In the simplest case it can be a Shibboleth environment where SP’s metadata is added to IdP’s configuration and vice versa. However, the better solution would be to register the Circulation Manager in InCommon Federation which would allow to use of any IdPs in the federation.
The picture below shows how the workflow looks like in the case when the content is protected by a SAML authentication mechanism: either via SAML proxy or EZProxy with SAML authentication turned on.
Image II. SAML Authentication Workflow in Circulation Manager
(content provider uses a SAML proxy or EZProxy with turned on SAML authentication)
An alternate configuration may include a Authentication delegated to another application such as a CAS Server.
Image III. SAML Authentication Workflow in Circulation Manager
(content provider uses a SAML proxy or EZProxy with turned on SAML authentication and CAS Authentication Delegation)
In this case there are two authentication events:
...
Table I. Circulation Manager SP’s Configuration
Parameter Name | Mandatory | Description |
Service Provider’s XML metadata | Yes | SAML metadata of the Circulation Manager's Service Provider in an XML format (must contain exactly one SPSSODescriptor tag) |
Service Provider’s private key | No | Private key used for encrypting and signing SAML requests |
Identity Provider’s XML metadata | Yes | SAML metadata of Identity Providers in an XML format '(may contain multiple IDPSSODescriptor tags) |
SAML token expiration days | No | Days until a Bearer token used by the SAML authentication provider expires |