[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: IDP Proxying & Distributed Authentication
The scenario is that a SP stipulates an authn context for which two authentication factors are required. The first IDP that receives the <AuthRequest> can only perform one of the two factors, it proxies to another IDP for the second. Does SAML core forbid this? 2261 If an identity provider that receives an <AuthnRequest> has not yet authenticated the presenter or cannot directly authenticate the presenter, but believes that the presenter has already authenticated to another identity provider or a non-SAML equivalent, it may respond to the request by issuing a new <AuthnRequest> on its own behalf to be presented to the other identity provider, Can we interpret the above text as applying to each factor independently. ie that the proxying IDP performs the above analysis for each? Separately but related, existing Authn Context mechs in the AuthnStatement appear limited in being able to describe 'who did what' in such a distributed authentication case. There can be multiple <AuthenticatingAuthority> elements, but all within a single <AuthnContext>. The implication is that the proxying IDP would need to create a single AuthnContext to reflect how the authentications were distributed (even while acknowledging that the first IDP was involved in some manner.) thanks for any insight Paul ps. FYI, Liberty's Strong Auth activity has a number of similar use cases that permute to some extent the 'normal' distribution of authn responsibilities - and Liberty will eventually have to work out how to use SAML AC in support. -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-302-1428 aim:PaulMdsn5 web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]