THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The following picture illustrates the main components of a Web Single Sign On (SSO) solution based on WS-Federation (Passive Requestor Profile). The Web Application is part of the Relying Party (RP) side whereas the Identity Provider (IDP/STS) is the central security server that is responsible to authenticate clients and issue security tokens based on the requirements by the RP.
The IDP component leverages the STS capabilities to issue all sorts of security tokens.
An browser first access the Web Application (RP) which redirects the browser to the IDP as the requestor is not authenticated. The IDP authenticates the user and requests a security token based on the requirements by the RP. The security token is "redirected" to the RP which validates the token and creates a session in the RP.
...
The browser accesses the web application (1). It is then redirected to IDP/STS if no token or cookie is supplied in the request (2). This redirection process may require prompting the user (3) to authenticate himself (4). The IDP/STS issues a signed SAML 2.0 security token (WS-Federation doesn’t mandate SAML). The IDP "redirects" (5/6) the user to the application server including the SAML token. The application server verifies the signature of the SAML token. There is a trust relationship between the application server and the IDP/STS which doesn't require network connectivity between the application server and the IDP/STS (Cloud!). After successful validation, a session is created and the corresponding cookie is set on the browser (7). Finally, the request is dispatched to the application.
...
Requirements of the Web Application are described in the WS-Federation Metadata document.
Components
WS-Trust Security Token Service (STS)
...
The security model of the STS builds on the foundation established by WS-Security and WS-Trust. The primary issue for Web browsers is that there is no easy way to directly send web service (SOAP) requests. Consequently, the processing must be performed within the confines of the base HTTP 1.1 functionality (GET, POST, redirects, and cookies) and conform as closely as possible to the WS-Trust protocols for token acquisition.
The IDP is in charge of transforming the SignIn request of the browser to a SOAP request for the STS and the response of the STS to the SignInResponse for the browser. Further the browser user must authenticate himself with the IDP. At the time of initial authentication an artifact/cookie may be created for the browser so that every request for a resource doesn't require user interaction.
Claims based Access Control
...
Resource and Requestor IDP
tbd