The SP can require specific authentication context classes and strength levels before it permits access to a requested resource. Based on the sensitivity of the resources at the SP, the SP has to feel confident in the assertion it receives from the IdP.
The administrators at the IdP and SP have to establish guidelines for supported authentication contexts and the relative strength of each class. The order of the classes at the IdP together with the associated strength levels affects how it can respond to the SP.
For example, an SP requests an authentication context class of X.509 certificates with a strength level of 3. The IdP has to authenticate the requesting user at a suitable strength level. The comparison value in the request from the SP defines the evaluation of the authentication context. The authentication context that the IdP provides has to satisfy the requirement that is indicated by the comparison. The strength level is an exact match, a minimum or maximum level, or a better strength level.
Copyright © 2013 CA.
All rights reserved.
|
|