Each SP participating in an SSO system must provide its authorized users with the ability to manage federated identities and global accounts. In practice, this requires from an SP and IdP to perform specific actions in a specific order. The description of this communication model is a subject of this section.
FIs and global accounts are managed only via FI management IdP user interfaces. These interfaces must be requested directly by users at any time during their local session with an SP. After a user requests one of the FI Management user interfaces, the sequence of actions standard for all IdP user interfaces is performed: IdP sends to an SP the UI parameters, the SP renders and displays such UI to this user as an HTML form; the user fills the form and submits it to IdP. Finally, IdP attempts to perform an operation, and then forwards this user to a specific URL. This URL is retrieved from HTML form parameters added by an SP on form rendering.
This diagram represents the described above model:
For details on the graphical conventions used in this diagram, refer to the Graphical Conventions section.
For details on how to build FI management functionality into your SP, refer to the Integrating Into SSO System section.