Using Apache ShibRequestSetting authnContextClassRef and requesting new session

Cantor, Scott cantor.2 at osu.edu
Wed Apr 11 22:12:51 BST 2012


> Is that "step-down", in that using x509 currently gives access to both
> protected.test and protected.test.x509.

I don't know if there's a general term for that case, step-up authentication is somewhat understood at least.
 
> Would a separate applicationID still give the same behavior?

It depends on the deployment. An application boundary always sends the user to the IdP (and thus potentially brings discovery into the picture). Leaving discovery aside, the IdP is normally going to send the user right back if the user's existing authentication state satisfies the request, so to the user it's invisible.

But one can't generally leave discovery aside, of course. If there's a single IdP in use, then it's pretty much seamless.

-- Scott



More information about the users mailing list