OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: step-up authentication

I'm writing a deployment profile for step-up authentication where an
SP sends the following AuthnRequest to the IdP:

<samlp:AuthnRequest ...>
 <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
 <saml:Subject>
   <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
     user@example.org
   </saml:NameID>
 </saml:Subject>
 <samlp:NameIDPolicy AllowCreate="false"/>
 <samlp:RequestedAuthnContext>
   <saml:AuthnContextClassRef>
     http://example.org/some/specific/authncontextclass
   </saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

As a result, the IdP authenticates the given Subject according to the
RequestedAuthnContext and then issues an assertion with a "strongly
matching" Subject and a matching AuthnContext.

Is this a reasonable profile of the elements of SAML Core? Assuming
that's the case, does anyone know of a product that implements this
profile (or something like it)?

Thanks,

Tom

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]