diff options
author | Trevor Bramwell <tbramwell@linuxfoundation.org> | 2016-09-12 11:06:56 -0700 |
---|---|---|
committer | Trevor Bramwell <tbramwell@linuxfoundation.org> | 2016-09-12 11:07:49 -0700 |
commit | cf864337c13b4638c588badf3f589f9e39318c95 (patch) | |
tree | de6f96976a0e8986abd3176026790c2e33272bc5 /upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd | |
parent | 42357cd33b44b22dbebec8cdecdb29b9d76e5f99 (diff) |
Move ODL-AAA-MOON under 'upstream' Directory
Change-Id: Ie010fbe3899e151421940908dbe8675aade54e2d
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
Diffstat (limited to 'upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd')
-rw-r--r-- | upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd new file mode 100644 index 00000000..f97ed1ee --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd @@ -0,0 +1,23 @@ +title Federated Authentication with SSSD + +# This walks through the federated authentication sequence where a claim from a +# third-party IdP system is posted to the ODL token endpoint in exchange for an +# access token. The claim information is assumed to be in format specific to the +# third-party IdP system and assumed to be captured via either Apache environment +# variables (Servlet attributes) or HTTP headers. + +Client -> Apache WebServer: authenticate +note right of Client +credentials +end note +Apache WebServer -> SSSD: authenticate +SSSD -> LDAP/AD : authenticate +SSSD -> Apache WebServer: claim +Apache WebServer -> ServletContainer: CGI variables +ServletContainer -> SSSD Plugin: Servlet attributes/headers +SSSD Plugin -> SSSD Plugin : transformClaim +SSSD Plugin -> TokenEndPoint : claim +TokenEndPoint -> TokenEndPoint : createToken +TokenEndPoint -> Client : refresh token, list of authorized domains +Client -> TokenEndPoint : refresh token, domain +TokenEndPoint -> Client : access token |