title Federated Authentication with SSSD

# This walks through the federated authentication sequence where a claim from a
# third-party IdP system is posted to the ODL token endpoint in exchange for an 
# access token. The claim information is assumed to be in format specific to the 
# third-party IdP system and assumed to be captured via either Apache environment
# variables (Servlet attributes) or HTTP headers. 

Client -> Apache WebServer: authenticate
note right of Client
credentials
end note
Apache WebServer -> SSSD: authenticate
SSSD -> LDAP/AD : authenticate
SSSD -> Apache WebServer: claim
Apache WebServer -> ServletContainer: CGI variables
ServletContainer -> SSSD Plugin: Servlet attributes/headers
SSSD Plugin -> SSSD Plugin : transformClaim
SSSD Plugin -> TokenEndPoint : claim
TokenEndPoint -> TokenEndPoint : createToken
TokenEndPoint -> Client : refresh token, list of authorized domains
Client -> TokenEndPoint : refresh token, domain
TokenEndPoint -> Client : access token