Actors: cloud-subscriber, cloud-subscriber-user, cloud-provider, identity-provider (optional)
Goals: The cloud-subscriber-user's should be able to authenticate themselves using a standard-based protocol, such as SAML, OpenID or Kerberos, to gain access to the cloud application/service. Alternatively, the cloud-subscriber-user should be able to transparently log in to the cloud application/service once they are authenticated against any system that's part of single-sign-on federation of systems.
Assumption: The cloud-subscriber-user's account has been already provisioned in the cloud, see use case Identity Management – User Account Provisioning. In the case of single-sign-on, prior trust relationships have been established (e.g., using trusted crypto keys) among the identity provider/authentication service and the cloud applications/services that are sharing the federated identity attributes of authenticated users.
Success Scenario 1 (PaaS, SaaS): This scenario illustrates how a cloud-subscriber-user can authenticate against a cloud-based authentication service using the appropriate credentials to gain access to the cloud-based applications/services.
Steps: The cloud-subscriber-user provides his/her credentials (e.g., using password tokens or smart card) to the cloud-provider's authentication service interface. The authentication request gets authenticated by the authentication service and an appropriate authentication token is issued using a standard-based protocol (such as a SAML authentication assertion). The cloud-subscriber-user then accesses cloud-deployed applications/services using the authentication token until the authenticated session expires or the user explicitly logs out using the authentication service' logout interface.
Success Scenario 2 (PaaS, SaaS, Single-Sign-On): This scenario illustrates how a cloud-subscriber-user authenticates against an authentication service (identity provider deployed either in the cloud or within the enterprise's IT infrastructure) and transparently gains access to cloud applications/services without presenting authentication credentials again, achieving single-sign-on
Steps: The cloud-subscriber-user authenticates against the enterprise's authentication service/identity provider, obtains an authentication token (such as a digitally signed SAML authentication assertion); the cloud-subscriber-user accesses (through Web browser) applications/services deployed in the cloud with the authentication token; the authentication sub system provided by the cloud-provider transparently trusts the authentication token and obtains the federated identity attributes for access control decisions.
Failure Condition/Failure Handling: trust relationship among cloud-provider's services and the identity provider is not established;
Credit: Cloud Security Alliance's Guidance for Identity and Access Management, V2.1