This
is, once again, a generalization of our wine seller example: S is
the buyer, RP is the seller, and IP is whatever government institution
issued an identi?¬?cation document to the buyer, and Claim1
or Claim2 (see Figure 2-1) is the age claim. In the rest of this
section, we explain Figure 2-1, pointing out what part of the
Identity Metasystem is involved as the transaction unfolds. Note
that because we are still technology-agnostic at this point, we
simplify the sequence a bit (especially in Steps 3 and 4).
1. S engages RP in a negotiation to acquire RP??™s policy and
requirements. RP states that it will consider for authentication
only the users presenting an identity issued by IP,
in SAML1.1 format and containing Claim1 and Claim2.
2. S goes through the experience of mapping RP requirements
with S??™s capabilities. Namely, S checks whether it
has a relationship with IP that would allow it to ask for a
token of the right format and with the requested claims
in it.
3. Assuming that S does have a suitable relationship with
IP, S negotiates with IP the details about how the IP
wants to be called (for example, with which technology).
4. S uses the information acquired in the preceding step to
request an identity from the IP.
Pages:
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235