Ability to specify an Authentication Method when using the IdP initiated login flow?

[Van Deman, Quint]

Shibboleth community--


I have configured my 2.x IdP to support 2 login handlers:

- A basic UsernamePassword handler configured as urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

- A RemoteUser handler (which does MFA auth upstream) configured as urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken


In reading the documentation, I understand that an RP can request/require the type of authentication to be performed, but is there a way to do the same thing when an RP isn't involved in the process (IdP initiated login flow)? I'm working to extend the Shibboleth reference architecture for AWS (which uses the IdP initiated flow exclusively) to show a pattern where highly sensitive operations require the stronger authentication, but don't want to go so far as to require the stronger auth form universally.


I've been able to construct a good working POC end-to-end, but right now my only solution for "selecting" the authentication mechanism is by altering the defaultAuthenticationMethod of the DefaultRelyingParty. Instead, I'm really hoping that there's a query string parameter or something similar that I can append to the initial url to make this selection. For example:


https://<hostname>/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices&authmethod=

urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken


Any thoughts or alternative solutions would be greatly appreciated.


Cheers,


-Quint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151231/f19832f4/attachment.html>