1. User hits the link to the WebApp
2. WebApp finds out user is not authenticated and redirects to the SAML2 IdP.
3. SAML2 Idp checks whether the user has an authenticated session - if not will prompt for credentials, once authenticated there ,user will be redirected back to WebApp with a SAML token, with the set of claims requested by the WebApp
4. Now, the WebApp needs to access a back-end web service with the logged in user's access rights. WebApp passes the SAML token to the PEP based on WS-Trust and authenticates it self [WebApp] to the PEP via trusted-sub-system pattern.
5. PEP will call XACML PDP to authorize the user, based on the claims provided in the SAML token.
6. XACML PDP returns back the decision to the PEP.
7. If it's a 'Permit' - PEP will let the user access the back-end web service.