Appendix B: Security : Single Sign-On : Use Case 3
   
Use Case 3
In this use case, tasks are executed on behalf of a user (referred to as delegation). Some workflows that an end user initiates might require multiple solutions to communicate with each other, and SSO can support such workflows. Before the user can initiate the workflow through a given UI, the user must provide credentials. The UI validates the credentials against the SSO server, which issues a SAML token. The user then initiates a workflow.
In the following figure, the workflow requires Solution-1 to access Solution-2 and Solution-3 on behalf of the end user. As part of this process, the UI requests a delegated token from the SSO server for
Solution-1 by providing the SAML token of the end user. The delegated token asserts that the user has granted Solution-1 the privileges to execute tasks on the users behalf. After the UI has the delegated token, it gives it to Solution-1 to use to log in to Solution-2 and Solution-3.
Figure 65. Executing Tasks on Behalf of a User