OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: IDP Proxying & Distributed Authentication

The scenario is that a SP stipulates an authn context for which two 
authentication factors are required.

The first IDP that receives the <AuthRequest> can only perform one of 
the two factors, it proxies to another IDP for the second.

Does SAML core forbid this?

2261 If an identity provider that receives an <AuthnRequest> has not yet 
authenticated the presenter or
cannot directly authenticate the presenter, but believes that the 
presenter has already authenticated to
another identity provider or a non-SAML equivalent, it may respond to 
the request by issuing a new
<AuthnRequest> on its own behalf to be presented to the other identity 

Can we interpret the above text as applying to each factor 
independently. ie that the proxying IDP performs the above analysis for 

Separately but related, existing Authn Context mechs in the 
AuthnStatement appear limited in being able to describe 'who did what' 
in such a distributed authentication case. There can be multiple 
<AuthenticatingAuthority> elements, but all within a single 
<AuthnContext>. The implication is that the proxying IDP would need to 
create a single AuthnContext to reflect how the authentications were 
distributed (even while acknowledging that the first IDP was involved in 
some manner.)

thanks for any insight


ps. FYI, Liberty's Strong Auth activity has a number of similar use 
cases that permute to some extent the 'normal' distribution of authn 
responsibilities - and Liberty will eventually have to work out how to 
use SAML AC in support.

Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]