This implementation uses the “SAMLv2 Lightweight Web Browser SSO Profile” and “SAMLv2.0 HTTP POST SimpleSign Binding”. Since the current use cases are fairly restricted we simplified the process even more such that only source-first SSO, using an unsolicited <Response> message is supported.
The actual federation of identifiers is done during the registration process using existing AOL protocols. SAML is then used for the SSO Assertion between the partners. The flow goes something like this...
- User goes to browser and loads site A
- User authenticates at site A using the account credentials associated with site A
- User clicks on link to partner site B
- Site A generates the SSO Assertion for site B using site B's pre-determined federation identifier
- Site A uses the http POST method to post the SSO Assertion to site B
- Site B validates and verifies the SSO Assertion
- User is “signed-on” to site B with site B's federated identifier
Using the Simple-Sign binding significantly simplified the development effort as XMLDSIG is one of the more complicated parts of SAML. As more tools for XMLDSIG become available this will be less and less of a barrier to adoption.