[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: IDP Proxying & Distributed Authentication
The scenario is that a SP stipulates an authn context for which two
authentication factors are required.
The first IDP that receives the <AuthRequest> can only perform one of
the two factors, it proxies to another IDP for the second.
Does SAML core forbid this?
2261 If an identity provider that receives an <AuthnRequest> has not yet
authenticated the presenter or
cannot directly authenticate the presenter, but believes that the
presenter has already authenticated to
another identity provider or a non-SAML equivalent, it may respond to
the request by issuing a new
<AuthnRequest> on its own behalf to be presented to the other identity
provider,
Can we interpret the above text as applying to each factor
independently. ie that the proxying IDP performs the above analysis for
each?
Separately but related, existing Authn Context mechs in the
AuthnStatement appear limited in being able to describe 'who did what'
in such a distributed authentication case. There can be multiple
<AuthenticatingAuthority> elements, but all within a single
<AuthnContext>. The implication is that the proxying IDP would need to
create a single AuthnContext to reflect how the authentications were
distributed (even while acknowledging that the first IDP was involved in
some manner.)
thanks for any insight
Paul
ps. FYI, Liberty's Strong Auth activity has a number of similar use
cases that permute to some extent the 'normal' distribution of authn
responsibilities - and Liberty will eventually have to work out how to
use SAML AC in support.
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]