title Federated Authentication Sequence (w/ Claim Transformation)

# This walks through the federated authentication sequence where a claim from a
# third-party IdP system is posted to the ODL token endpoint in exchange for an 
# access token. The claim information is assumed to be in format specific to the 
# third-party IdP system and assumed to be captured via either Apache environment
# variables (Servlet attributes) or HTTP headers. 

Client -> ServletContainer: request access token
note right of Client
(claim as Apache env/HTTP headers)
end note
ServletContainer -> ClaimAuthFilter: Servlet attributes/headers
loop foreach ClaimAuth
    ClaimAuthFilter -> ClaimAuth: transform(Map<String, Object> claim)
    ClaimAuth -> ClaimAuth: transformClaim
end
ClaimAuth -> ClaimAuthFilter: Claim
note left of ClaimAuth
(user/domain/roles)
end note
ClaimAuthFilter --> TokenEndpoint: Claim
TokenEndpoint -> TokenEndpoint: createToken
TokenEndpoint -> Client: access token