Use cases
Premises
1. An Organizational Unit has been defined as Role holder Yes.
2. Several groups have been defined with type organizational unit with role holder Yes.
3. An attribute sharing policy has been defined.
4. Indicates which Service Providers will be required group membership after authentication.
Use cases
Use case 1 - Log in to an application
User with no groups, Primary or Secundary, with type holder group Yes. When this user log into an application --> The user login normally to the application
Use case 2 - Log in to an application
User with only one group, Primary or Secondary, with type holder group Yes. This users can have more groups with holder group No. When this user logs in to an application --> The user will be loged-in the application with the group with type holder group yes.
OpenID-Connect
a. User Agatha with Primary group RRHH (Role holder Yes)
b. Login: the user type the user and password to login
c. Get the JSON id_token
d. Decode the JSON Web Token using https://jwt.io
Here you are the scope, the holder_group and the member_of data
{
"sub": "agatha",
"iss": "https://sync-server.netcompose:1443",
"holder_group": "RRHH",
"meber_of": [
"SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid",
"SOFFID_HOLDER_CONDOMAIN005/Philosophers@soffid",
"SOFFID_VAULT_USER@soffid",
"SOFFID_HOLDER_CONDOMAIN004/Writers@soffid",
"SOFFID_USER@soffid"
],
"nonce": null,
"sid": "oeB51Jr/+rb5yE+lbG9iYsAHy1TxOFYm",
"aud": "angularApp",
"azp": "angularApp",
"auth_time": 1737365621,
"scope": "openid profile email",
"exp": 1737366221,
"iat": 1737365622,
"jti": "WW1wwRD-HaE9DCXfQv4wLRuFgGRbI1lB_9wDFBd6X4ILJBv4vS6mL1yG3S0Ee_Nv",
"email": "agatha@soffid.com"
}
SAML
a. User Agatha with Primary group RRHH (Role holder Yes)
b. Login: the user type the user and password to login
c. Get the SAML response
https://sync-server.netcompose
https://sync-server.netcompose
qEEAkYqFFZxatl6DaVme4IfrojC3zafaKFH+TpIDurY=
TeVSWaALsRLMwYxi71/b1k8jKYOrFb7qS9qva2T5T3yKpNLwZxnmRqWznbBM7wpr9U3V0scfh5M1ex/NGflbADbxih7uwUVK8YSAZPwIx/4LXEx0uOxpQi7ZiDOvhb2jkKLdvztvUkBGeJhJGCJy/2WrOHIEdzsn4T4c7TBdWZc=
MIICKTCCAZKgAwIBAgIGAY3q71O5MA0GCSqGSIb3DQEBCwUAMFgxJzAlBgNVBAMMHmh0dHBzOi8v
c3luYy1zZXJ2ZXIubmV0Y29tcG9zZTEcMBoGA1UECwwTRmVkZXJhdGlvbiBzZXJ2aWNlczEPMA0G
A1UECgwGU09GRklEMB4XDTI0MDIyNzE0MjkyOVoXDTM0MDIyNzE0MjkyOVowWDEnMCUGA1UEAwwe
aHR0cHM6Ly9zeW5jLXNlcnZlci5uZXRjb21wb3NlMRwwGgYDVQQLDBNGZWRlcmF0aW9uIHNlcnZp
Y2VzMQ8wDQYDVQQKDAZTT0ZGSUQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJZ5G9BnTSLh
X8VOVbdyY01EUkgHexi97+e1iGA0r1WM6cTu4Ku3k7/efIB5ZZfteRKbPwa719y8Ytb5W4RFcZ6O
XzHz9o+FhG64tZHEo4xwVdukv6rOatSSlhomEhruhxX+x7OpFnnlXNSCypi1xjEQyIm8GJKxpxjk
RJvkgfXLAgMBAAEwDQYJKoZIhvcNAQELBQADgYEATbs8iLBYEcPdPBjtmNHYrQpXb3nc83Acmxyy
/pEe4hXaMoB1rBuxNf47IiqJaJld9H6k5oXWcGgG8FyrdOxpY3eE8cw1s+6tM/MACMRuhuV4bQhR
FD1aizcW6fQUfvmkRLUgS1o8BMZZjCWW22FPeSklFXATE/FvmncRGpT9JWs=
Agatha
https://pat.soffid.lab:8443/soffid-iam-console
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
agatha@soffid.com
Agatha
SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid
SOFFID_HOLDER_CONDOMAIN005/Philosophers@soffid
SOFFID_VAULT_USER@soffid
SOFFID_HOLDER_CONDOMAIN004/Writers@soffid
SOFFID_USER@soffid
RRHH
Use case 3 - Log in to an application
User with more than one group, Primary or Secondary, with type holder group Yes. When this user log into an application --> The user will have to choose the holder group to login the application. The user will be loged-in the application with the holder group selected.
OpenID-Connect
a. User Agatha with three groups with Role holder Yes
b. Login: the user type the user and password to login
c. The user has to select the holder group to login
d. Get the JSON id_token
e. Decode the JSON Web Token using https://jwt.io
Here you are the scope, the holder_group and the member_of data
{
"sub": "agatha",
"iss": "https://sync-server.netcompose:1443",
"holder_group": "Marketing",
"meber_of": [
"SOFFID_VAULT_USER@soffid",
"SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
"SOFFID_USER@soffid"
],
"nonce": null,
"sid": "+cr0VQjIUcwmuJg0jraIO4DwtPfFOH9b",
"aud": "angularApp",
"azp": "angularApp",
"auth_time": 1737366858,
"scope": "openid profile email",
"exp": 1737367458,
"iat": 1737366858,
"jti": "X1kvNUqr_-LJgz_EHneva0-mtHTLSkhN00d3UX-dtA7LVcjpkyM0yvl5UPst9vV2",
"email": "agatha@soffid.com"
}
SAML
a. User Agatha with three groups with Role holder Yes
b. Login: the user type the user and password to login
c. The user has to select the holder group to login
d. Get the SAML response
https://sync-server.netcompose
https://sync-server.netcompose
FIIpGC4P+i4OYv+1MxIw2tdgPgheB6zsE2QhbHTUP3U=
VI2a9cx7vPKH+fppjyRQ4g+/NPknfxVzgbekaWomAxHvgNegRonlalUiRiiVLC5DdcT1dkO85c9FJgf5x8CgEfKFRKVNcaNWRVMZIZYUR/DKjyVH0F8a8lZMdHyxB9z3xj0QVqs7536dalA38hD5p4TG4PoNttYLhE1tFGd8QsI=
MIICKTCCAZKgAwIBAgIGAY3q71O5MA0GCSqGSIb3DQEBCwUAMFgxJzAlBgNVBAMMHmh0dHBzOi8v
c3luYy1zZXJ2ZXIubmV0Y29tcG9zZTEcMBoGA1UECwwTRmVkZXJhdGlvbiBzZXJ2aWNlczEPMA0G
A1UECgwGU09GRklEMB4XDTI0MDIyNzE0MjkyOVoXDTM0MDIyNzE0MjkyOVowWDEnMCUGA1UEAwwe
aHR0cHM6Ly9zeW5jLXNlcnZlci5uZXRjb21wb3NlMRwwGgYDVQQLDBNGZWRlcmF0aW9uIHNlcnZp
Y2VzMQ8wDQYDVQQKDAZTT0ZGSUQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJZ5G9BnTSLh
X8VOVbdyY01EUkgHexi97+e1iGA0r1WM6cTu4Ku3k7/efIB5ZZfteRKbPwa719y8Ytb5W4RFcZ6O
XzHz9o+FhG64tZHEo4xwVdukv6rOatSSlhomEhruhxX+x7OpFnnlXNSCypi1xjEQyIm8GJKxpxjk
RJvkgfXLAgMBAAEwDQYJKoZIhvcNAQELBQADgYEATbs8iLBYEcPdPBjtmNHYrQpXb3nc83Acmxyy
/pEe4hXaMoB1rBuxNf47IiqJaJld9H6k5oXWcGgG8FyrdOxpY3eE8cw1s+6tM/MACMRuhuV4bQhR
FD1aizcW6fQUfvmkRLUgS1o8BMZZjCWW22FPeSklFXATE/FvmncRGpT9JWs=
Agatha
https://pat.soffid.lab:8443/soffid-iam-console
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
agatha@soffid.com
Agatha
SOFFID_VAULT_USER@soffid
SOFFID_HOLDER_CONDOMAIN005/Writers@soffid
SOFFID_USER@soffid
Marketing
Use case 4 - Log in to a second application
a. Agatha user was previously loged-in to an application
Agatha user is loged-in the angularApp Service Provider
{
"sub": "agatha",
"iss": "https://sync-server.netcompose:1443",
"holder_group": "Marketing",
"meber_of": [
"SOFFID_VAULT_USER@soffid",
"SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
"SOFFID_USER@soffid"
],
"nonce": null,
"sid": "+cr0VQjIUcwmuJg0jraIO4DwtPfFOH9b",
"aud": "angularApp",
"azp": "angularApp",
"auth_time": 1737366858,
"scope": "openid profile email",
"exp": 1737367458,
"iat": 1737366858,
"jti": "X1kvNUqr_-LJgz_EHneva0-mtHTLSkhN00d3UX-dtA7LVcjpkyM0yvl5UPst9vV2",
"email": "agatha@soffid.com"
}
b. Agata user is loged-in to a second application
Agatha user is loged-in the OpenIDConnectApp001 Service Provider, with the same holder group
{
"sub": "agatha",
"iss": "https://sync-server.netcompose:1443",
"holder_group": "Marketing",
"meber_of": [
"SOFFID_VAULT_USER@soffid",
"SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
"SOFFID_USER@soffid"
],
"nonce": null,
"sid": "WDSQEzO6LIgxvQkq/zyIzL/LddKKy/j0",
"aud": "OpenIDConnectApp001",
"azp": "OpenIDConnectApp001",
"auth_time": 1737367082,
"scope": "openid",
"exp": 1737367683,
"iat": 1737367083,
"jti": "C5xSE7UK0lgwgff5Cl7SPnpZvcRSm8WI0GZMXXObKdCMOuP50qbZjCcuGW7KpJqN",
"email": "agatha@soffid.com"
}