Federation Manager Guide › Authentication Context Processing › Determine how a User Authenticated at an Identity Provider › Authentication Context Processing for IdP-initiated SSO
Authentication Context Processing for IdP-initiated SSO
When single sign-on is initiated at the IdP, authentication context processing follows these steps:
- A user request triggers single sign-on at the IdP.
- The user is authenticated and a user session is generated. Associated with the session is a protection level that is configured with the authentication scheme.
- Depending on the authentication context configuration at the IdP, one of the following conditions occur:
- Automatic detection occurs—only available if the SiteMinder Connector is enabled for the IdP-to-SP partnership.
Based on a configured authentication context template, the AuthnContext class is mapped to the protection level for the session.
- Predefined authentication class is used.
The hard-coded URI you specify is added to the assertion.
- The IdP generates the assertion and adds the authentication context to it. The assertion is then sent to the SP.
- At the SP, another comparison is made between the authentication context class from the assertion and the one configured at the SP. If this comparison is successful, the authentication transaction is complete.
|
Copyright © 2012 CA.
All rights reserved.
|
|
