An official website of the United States Government
19. Exchange Attributes in a Federation
When an individual requests access to a resource at an outside organization, that organization usually needs the individual’s attributes to make an access decision. Rather than creating a new identity record, the organization can query a metadata service to determine where a record of that individual’s attributes already exists. This can also be used to support design time identity maintenance. This use case demonstrates both a brokered (a) and non-brokered (b) approach for obtaining attributes. It also applies to situations where attributes are being sought from another division within the same organization.
Pre-condition: The requesting user is authenticated and belongs to an organization other than the one that owns the protected resource.
 |
An individual from Organization A attempts to access a resource at Organization B. |
 |
Organization B asks the metadata service where to go to obtain more details about the individual. |
 |
The metadata service tells Organization B that Organization A has the individual’s information on record. |
 |
Organization A’s attribute broker obtains the relevant identity data from its data sources. |
 |
Organization A’s attribute broker obtains the relevant identity data from its data sources. |
 |
Organization A’s attribute broker responds to organization B’s attribute broker with the relevant data. |
 |
Organization B queries Organization A for the individual’s attributes. |
 |
Organization A responds to Organization B with the individual’s relevant attributes. |
 |
Organization B uses the individual’s attributes to make an authorization decision. |
Post-condition: The individual’s attribute data was provided to the requesting organization.
Click here for a consolidated image of this use case.
