The authentication context indicates how a user authenticated at an Identity Provider. The Identity Provider includes the authentication context in an assertion at the request of a Service Provider or based on configuration at the Identity Provider. A Service Provider can require information about the authentication process to establish a level of confidence in the assertion before granting access to resources.
A CA SiteMinder® Service Provider requests the authentication context by including the <RequestedAuthnContext> element in the authentication request to the Identity Provider. Inclusion of this element is based on a configuration setting in the SP->Identity Provider partnership.
A CA SiteMinder® Identity Provider obtains the authentication context for a user in one of two ways:
CA SiteMinder® maps the authentication context URIs to CA SiteMinder® authentication levels. CA SiteMinder® authentication levels indicate the strength of an authentication context for an established user session. The levels enable the authentication context to be derived from the user session at the Identity Provider.
When the Identity Provider receives a request, it compares the value of the <RequestedAuthnContext> element to the authentication context. The comparison is based on a comparison value sent in the request from the Service Provider. If the comparison is successful, the Identity Provider includes the authentication contexts in the assertion it returns to the Service Provider. If validation is configured, the Service Provider validates the incoming authentication context with the value it requested.
This section contains the following topics:
Determine how a User Authenticated at an Identity Provider
Determine Authentication Context and Strength Levels with your Partner
Configure an Authentication Context Template
Configure Authentication Context Processing at the IdP
Configure Authentication Context Requests at the SP
|
Copyright © 2013 CA.
All rights reserved.
|
|