What Is SATOSA?
SATOSA is an authentication tool much like Shibboleth. In fact, SATOSA is a proxy, which operates between a service and an identity provider. It forwards the communication between the two or, in the case of different authentication protocols, enables it. Technically speaking, such a proxy is made up of two components: an IdP, which is able to communicate with the actual service, and a SP, which is in touch with the actual IdPs. The two parts of the proxy (IdP and SP) internally exchange the communicated information thereafter.
But SATOSA does not only allow you to forward the communication, but it also allows you to alter certain aspects of it: Attributes can be changed or requested from additional data bases, and you can even switch the authentication protocol that is being used. The modification of certain attributes can be necessary for example if only some of the attached IdPs report the mail address of the user, but the corresponding SP needs them from all users. In this case, SATOSA can alter the attribute of the mail address after first requesting it from a different data base.
When SATOSA “translates” between different authentication protocols, it looks something like this: