Federated Authentication

Federated authentication is the process where the user authentication step of the full authentication process is delegated to another identity provider. The process can work two ways; The first allows remote hosts to use the local IdP as an authentication assertion supplier. The other uses a remote server as an assertion supplier for the local authentication process. In this section we focus on the latter scenario.

Federated authentication is initialized by an appropriate authentication method, as can be seen in the figure above.

Flow

Authentication via a federated identity system (or remote authentication as it is called in the A-Select fashion) can be part of a extended authentication profile, consisting of local authentication methods as well.

On activation, the authentication method forms a call to the remote server, containing the session identifier and other attributes required for authentication. The user interaction part of the authentication mechanism replies to the user with the call in the form of a asychronous call (e.g. a HTTP GET redirect or HTTP POST auto-submit form). The user's agent then addresses the remote server with the given attributes so that the remote authentication session can be initialized.

The process of authentication at the remote server is out of scope of this document.

After the authentication is finished, the user is sent back to the local server with an additional proof of the fact that her authentication was successful. The profile receives and verifies the proof (with or without backend communication with the remote server). Upon successful verification, the user can continue to either the next authentication method, or the SSO engine if the remote method was the last method in the profile.