The Person claim

When SAML is used for authentication, the response from the IdP contains a number of claims (user properties). In an M3 environment, the SAML Session Provider is configured to use the Person claim as the user name for grid users.

The diagram shows an M3 environment with a Grid, AD FS, AD and IFS. The environment has been configured according to the recommendations for authentication. Specifically, the SAML Session Provider has been configured to use the Person claim as the user name, IFS has been configured with values for the IFS Person ID property for all users, and AD FS has been configured to emit the Person claim at logon.

The flow in the diagram is the same if InforSTS is used as IdP instead of AD FS.

  1. The user accesses a protected grid resource in the H5 application.
  2. The grid passes the call internally to the SAML Session Provider. The SAML Session Provider redirects the browser to AD FS.
  3. AD FS prompts the user for authentication and the user provides her credentials. The user logs on as
  4. AD FS authenticates the user against the Active Directory.
  5. After a successful authentication, AD FS retrieves claims for the user from IFS. The Person claim is among these. Jane Doe’s Person claim has the value 12345.
  6. AD FS constructs an assertion – a message about the authentication and the user and provides this to the browser.
  7. The browser posts the assertion to the SAML Session Provider.
  8. The assertion is validated by the SAML Session Provider. A grid session and a grid user are created, with the user name based on the Person claim. In this case, the name will be 12345.
  9. The user has sufficient privileges to access the protected resource, and is redirected to the first access point.
  10. During use, the H5 application accesses M3 BE on behalf of the user. The grid user name is 12345. This name conforms to the 10 character limitation. The User 12345 has also been configured in M3 BE 'User.Open' (MNS150). Therefore, the user can access M3 BE.