I would like to understand the expected behaviour when an SP uses ForceAuthn and the user logs in at the IdP with a different userid than was used previously in response. What should happen?
- Should the IdP prevent the user from changing userID (and causing a changed NameId)?
- Should the IdP force a single logout of the previous principal prior to issuing the new assertion?
- Should the IdP be expected to maintain 2 (or more) NameId’s for the same session?
- What happens when a Single Logout request is subsequently received?
- Is the behaviour variable and up to the IdP. (i.e. SAML just doesn’t want to talk about this)
Thanks for any clarity here.
Regards,
Bob Sunday
Security & Identity Management | Sécurité et gestion de l'identité
Chief Information Officer Branch | Direction du dirigeant principal de l'information
Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada
Ottawa, Canada K1A 0R5
Office: 613-941-4764
Email: robert.sunday@tbs-sct.gc.ca
Government of Canada | Gouvernement du Canada