docbkx/resources/cdsso-web-sequence.txt

	cdsso-web-sequence.txt revision 0205f44d0d789f50b5b1901abdc1e94c18fdd202
@startuml cdsso-web-sequence.png

/'
    CCPL HEADER START

    This work is licensed under the Creative Commons
    Attribution-NonCommercial-NoDerivs 3.0 Unported License.
    To view a copy of this license, visit
    http://creativecommons.org/licenses/by-nc-nd/3.0/
    or send a letter to Creative Commons, 444 Castro Street,
    Suite 900, Mountain View, California, 94041, USA.

    You can also obtain a copy of the license at
    src/main/resources/legal-notices/CC-BY-NC-ND.txt.
    See the License for the specific language governing permissions
    and limitations under the License.

    If applicable, add the following below this CCPL HEADER, with the fields
    enclosed by brackets "[]" replaced with your own identifying information:
         Portions Copyright [yyyy] [name of copyright owner]

    CCPL HEADER END

         Copyright 2012 ForgeRock AS

    To generate a sequence diagram from this file, process
    it with PlantUML, http://plantuml.sourceforge.net/sequence.html
'/

title Web Agent and CDSSO
autonumber

participant "Browser" as UA
participant "HTTP Server\n& Agent" as App
box "OpenAM" #FAFAFA
	participant "CDCServlet" as CDC
	participant "Policy, Session Services" as NPS
	participant "AuthN Service" as AuthN
end box

UA->App: Browse to protected resource.\nNo SSOToken for resource domain, yet.

App->UA: Redirect...

UA->CDC: ...to CDCServlet.

CDC->NPS: If browser presents SSOToken,\nrequest SSOToken validation.

NPS->CDC: If SSOToken is valid,\nskip to 14. Otherwise...

CDC->UA: Redirect...

UA->AuthN: ...to OpenAM for authentication.

AuthN->UA: Authentication page

UA->AuthN: Submit credentials.

AuthN->UA: Set valid SSOToken with OpenAM domain name,\nand redirect...

UA->CDC: ...to CDCServlet.

CDC->NPS: Request SSOToken validation.

NPS->CDC: SSOToken is valid.

CDC->UA: Send self-submitting form with\nLiberty AuthN Response (LARES).

UA->App: Form POSTs automatically\nto protected resource.

note right of UA
	Policy agent intercepts,
	Extracts SSOToken from LARES.
end note

App->NPS: Request SSOToken validation

NPS->App: Response for SSOToken validation

App->NPS: Request policy decision.

NPS->App: Response for policy decision

App->UA: Allow access & return resource,\nor deny access & return HTTP 403.
@enduml