Hitachi ID Password Manager includes a SAML identity provider (IdP). This allows users to sign into a variety of federation-capable apps using a Password Manager login process, rather than using app-specific credentials.

The sequence for this externalized authentication will be as follows:

  1. A user accesses application at URL A.
  2. URL A (the service provider or SP) redirects the user to Password Manager at URL B.
  3. The user enters their login ID into Password Manager.
  4. Password Manager prompts for appropriate credentials. Different users may be asked for different sequences of credentials, based on their group memberships and/or identity attributes.
  5. Password Manager generates a SAML 2.0 assertion, indicating who the user is and what they are allowed to access.
  6. The user is redirected back to URL A, with the signed assertion.

This mechanism takes full advantage of Password Manager policy engines:

  1. How users are authenticated is controlled using authentication chains, which support contextual selection of a suitable login process and multi-step logins, for example combining CAPTCHA, sending the user a PIN and asking for a password.
  2. Password Manager can evaluate user membership in user classes and inject assertions about what the user should have access to in SAML assertion it sends to service providers. This adds role-based access control to applications that support receiving authorization information in SAML assertions.

The following figure illustrates this sequence:

SAML 2.0 browser redirect sequence