From e63b03f3d7e4851e008e4bb4d184982c2c0bd229 Mon Sep 17 00:00:00 2001 From: WuKong Date: Tue, 24 May 2016 17:13:17 +0200 Subject: odl/aaa clone Change-Id: I2b72c16aa3245e02d985a2c6189aacee7caad36e Signed-off-by: WuKong --- .../src/main/docs/sssd_auth_sequence.wsd | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd (limited to 'odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd') diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd new file mode 100644 index 00000000..f97ed1ee --- /dev/null +++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd @@ -0,0 +1,23 @@ +title Federated Authentication with SSSD + +# This walks through the federated authentication sequence where a claim from a +# third-party IdP system is posted to the ODL token endpoint in exchange for an +# access token. The claim information is assumed to be in format specific to the +# third-party IdP system and assumed to be captured via either Apache environment +# variables (Servlet attributes) or HTTP headers. + +Client -> Apache WebServer: authenticate +note right of Client +credentials +end note +Apache WebServer -> SSSD: authenticate +SSSD -> LDAP/AD : authenticate +SSSD -> Apache WebServer: claim +Apache WebServer -> ServletContainer: CGI variables +ServletContainer -> SSSD Plugin: Servlet attributes/headers +SSSD Plugin -> SSSD Plugin : transformClaim +SSSD Plugin -> TokenEndPoint : claim +TokenEndPoint -> TokenEndPoint : createToken +TokenEndPoint -> Client : refresh token, list of authorized domains +Client -> TokenEndPoint : refresh token, domain +TokenEndPoint -> Client : access token -- cgit 1.2.3-korg