At runtime, the SAML Session Provider interacts with AD FS and IFS in several ways:
SAML authentication. Browser clients are redirected to AD FS for authentication. After a successful authentication, the response is returned to the SAML Session Provider from AD FS, including any additional claims that have been supplied by IFS. For this authentication to work, the Grid access must pass through a SAML-enabled router.
WS-Trust authentication. Clients that cannot be redirected can pass credentials through basic authentication headers. In this case, the SAML Session Provider actively communicates with AD FS using the WS-Trust protocol. Claims are included in the response, in the same way as for SAML authentication. For this authentication to work, the Grid access must pass through a router that provides the basic authentication mechanism. WS-Trust authentication is not available in cloud scenarios - only passive clients are supported.
IFS API calls. IFS provides a number of APIs for retrieving Security Roles and other user information. When the Grid role mapping UI is accessed, IFS is accessed directly to retrieve the available Security Roles. Grid applications may also call these APIs through proxy methods in the SAML Session Provider.