aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd')
-rw-r--r--odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd23
1 files changed, 23 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
new file mode 100644
index 00000000..f97ed1ee
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
@@ -0,0 +1,23 @@
+title Federated Authentication with SSSD
+
+# This walks through the federated authentication sequence where a claim from a
+# third-party IdP system is posted to the ODL token endpoint in exchange for an
+# access token. The claim information is assumed to be in format specific to the
+# third-party IdP system and assumed to be captured via either Apache environment
+# variables (Servlet attributes) or HTTP headers.
+
+Client -> Apache WebServer: authenticate
+note right of Client
+credentials
+end note
+Apache WebServer -> SSSD: authenticate
+SSSD -> LDAP/AD : authenticate
+SSSD -> Apache WebServer: claim
+Apache WebServer -> ServletContainer: CGI variables
+ServletContainer -> SSSD Plugin: Servlet attributes/headers
+SSSD Plugin -> SSSD Plugin : transformClaim
+SSSD Plugin -> TokenEndPoint : claim
+TokenEndPoint -> TokenEndPoint : createToken
+TokenEndPoint -> Client : refresh token, list of authorized domains
+Client -> TokenEndPoint : refresh token, domain
+TokenEndPoint -> Client : access token