Show TOC

Example of Transient FederationLocate this document in the navigation structure


Donna Moore's company has a contract to sell office supplies to an office complex of a local company, ITelo. Employees of the local company can access a product catalog and order from ITelo's corporate portal. Donna does not want to maintain user data for all of the users at ITelo. She has negotiated with their IT department that her system trusts ITelo's identity provider. Their identity provider will use the federation type Virtual Users and Transient name IDs and include the name of the user, the e-mail address, and the cost center in the SAML response. Donna does not have the costs associated with maintaining user data. She merely has to capture the data for the users when they place orders, including the cost center so she knows whom to bill.

Donna can limit orders to users belonging to a purchasing function. The identity provider can pass an attribute. Based on the value of this attribute, Donna can have the service provider assign groups or roles to the user providing any required authorizations to place orders. All other users can only view the catalog through the assignment of a default role for all transient users. Furthermore it is the job of ITelo's user administrators to determine who belongs to these organizational units. Donna does not have the overhead of maintaining those assignments. She only has to work with the ITelo organization to provide the framework.

The figure below illustrates the creation of a transient user for Laurent Becker, a purchasing agent at ITelo. After logging on to his identity provider, he is redirected to Donna's service provider. The identity provider includes a transient name ID, e-mail address, first name, last name, cost center, and organizational unit. The transient name ID, e-mail address, and cost center are mandatory in this example. Furthermore, the use of the federation type Virtual Users guarantees that the user exists on the user management engine (UME) of the service provider temporarily or for the length of the session. Donna cannot process the order without the e-mail address and a cost center to bill. She can use the user name to personalize her application for the user. She uses the organizational unit to calculate group membership. Laurent belongs to Global Purchasing so he is assigned a group that includes authorizations to place bulk orders. All transient users are granted a default role that enables them to browse her product catalog.

Figure 1: Example of Attribute Mapping to Create a Transient User