Example of Federation Type Service Users
Donna Moore's company has a contract to sell office supplies to an office complex of a local company, ITelo. Employees of the local company can access a product catalog and order from ITelo's corporate portal. Donna does not want to maintain user data for all the users at ITelo. She has negotiated with their IT department that her system trusts ITelo's identity provider. Their identity provider uses Transient name IDs and includes the cost center of the user in the SAML response. Donna therefore does not have the costs associated with maintaining what would essentially be a mirror of ITelo's user data. She only has to capture the cost center so she knows which department to bill. To do this, she creates a service user for each cost center.
Donna can limit orders to users belonging to a purchasing function. The identity provider can pass an additional attribute, fun for function. Based on the value of this attribute, Donna can have the service provider assign a service user with the required authorizations to place orders. All other users can only view the catalog through the assignment of a default service user. Furthermore, it is the job of ITelo's user administrators to determine who has this function. Donna does not have the overhead of maintaining those assignments. She only has to work with the ITelo organization to provide the framework.
The figure below illustrates the creation of a transient user for Laurent Becker, a purchasing agent at ITelo. After logging on to his identity provider, he is redirected to Donna's service provider. The identity provider includes a Transient name ID, cost center, and function. The function is what Donna uses to determine if the user can place an order. Laurent has the function “Purchaser” so he is assigned a service user that includes authorizations to place orders for his cost center. All transient users that do not have the function “Purchaser” are mapped to a default service user that can only browse the product catalog.