For more information about
this misalignment between the example and the transaction please, see the section
???WS-Trust??? later in the chapter.
Trust 135
2. S goes through the experience of mapping RP requirements
with S capabilities. Namely, S checks whether it
has a relationship with IP2 that would allow it to ask for
a token of the right format and with the requested claims
in it.
3. S does not have an existing relationship with IP2; hence,
S engages IP2 in a negotiation, to acquire IP2??™s policy
and requirements. IP2 states that it will consider for authentication
only the users presenting an identity issued
by IP1, in SAML1.0 format and containing the claim
Role.
4. S goes through the experience of mapping IP2 requirements
with S capabilities. Namely, S checks whether it
has a relationship with IP1 that would allow it to ask for
a token of the right format and with the requested claims
in it.
IPi
SAML
Role
SAML
Role
SAML
Spending
Limit
SAML
Spending
Limit ?
?
SAML
Role ?
?
IP1
RP
IP1
IP2
?
IP2
SAML
Spending
Limit
IP1
SAML
Role
IP2
SAML
Spending
Limit
IP1
SAML
Role
1
6
8
9
5
4
3
2
7
SAML
Spending
Figure 2-2 The schema shows the ?¬‚ow followed by a transaction in
which trust is brokered through multiple IP.
Pages:
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238