Determine how a User Authenticated at an Identity Provider

Federation Manager Guide › Authentication Context Processing › Determine how a User Authenticated at an Identity Provider

Determine how a User Authenticated at an Identity Provider

The authentication context indicates how a user authenticated at an Identity Provider. The Identity Provider includes the authentication context in an assertion at the request of a Service Provider or based on configuration at the Identity Provider. A Service Provider can require information about the authentication process to establish a level of confidence in the assertion before granting access to resources.

When the Identity Provider receives a request, it compares the value of the <RequestedAuthnContext> element to the authentication context. The comparison is based on a comparison value sent in the request from the Service Provider. If the comparison is successful, the Identity Provider includes the authentication contexts in the assertion it returns to the Service Provider. If validation is configured, the Service Provider validates the incoming authentication context with the value it requested.

Verify that the policy administrators meet the following minimum knowledge requirements:

Familiarity with SAML 2.0 specifications and standards related to authentication context processing.
Understand Federation Manager configuration objects.
Know how to access and use the Federation Manager Federation Manager UI.

The following figure shows the configuration process for each partner. Federation Manager does not have to be installed at each site.

Process for configuring authentication context

Complete the following steps to configure authentication context processing:

Agree on authentication context and protection level strengths.
Set up an authentication context template.
Complete the task for your site:
- Specify how the IdP obtains the authentication context (IdP-side)
- Enable authentication context requests at the SP (SP-side)