IDP Proxying & Distributed Authentication

[Paul Madsen <paulmadsen@rogers.com>]

The scenario is that a SP stipulates an authn context for which two 
authentication factors are required.

The first IDP that receives the <AuthRequest> can only perform one of 
the two factors, it proxies to another IDP for the second.

Does SAML core forbid this?

2261 If an identity provider that receives an <AuthnRequest> has not yet 
authenticated the presenter or
cannot directly authenticate the presenter, but believes that the 
presenter has already authenticated to
another identity provider or a non-SAML equivalent, it may respond to 
the request by issuing a new
<AuthnRequest> on its own behalf to be presented to the other identity 
provider,

Can we interpret the above text as applying to each factor 
independently. ie that the proxying IDP performs the above analysis for 
each?

Separately but related, existing Authn Context mechs in the 
AuthnStatement appear limited in being able to describe 'who did what' 
in such a distributed authentication case. There can be multiple 
<AuthenticatingAuthority> elements, but all within a single 
<AuthnContext>. The implication is that the proxying IDP would need to 
create a single AuthnContext to reflect how the authentications were 
distributed (even while acknowledging that the first IDP was involved in 
some manner.)

thanks for any insight

Paul

ps. FYI, Liberty's Strong Auth activity has a number of similar use 
cases that permute to some extent the 'normal' distribution of authn 
responsibilities - and Liberty will eventually have to work out how to 
use SAML AC in support.

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com