Ability to specify an Authentication Method when using the IdP initiated login flow?
cantor.2 at osu.edu
Thu Dec 31 14:56:17 EST 2015
> In reading the documentation, I understand that an RP can request/require
> the type of authentication to be performed, but is there a way to do the
> same thing when an RP isn't involved in the process (IdP initiated login flow)?
An RP is aways involved, you're just identifying it with a parameter.
> I'm working to extend the Shibboleth reference architecture for AWS (which
> uses the IdP initiated flow exclusively) to show a pattern where highly
> sensitive operations require the stronger authentication, but don't want to
> go so far as to require the stronger auth form universally.
If you mean universally as in "any relying party", that's fine, identifying the defaultAuthenticationMethod is a per-RP setting.
> I've been able to construct a good working POC end-to-end, but right now
> my only solution for "selecting" the authentication mechanism is by altering
> the defaultAuthenticationMethod of the DefaultRelyingParty.
Then don't do it for the default RP.
> Instead, I'm
> really hoping that there's a query string parameter or something similar that I
> can append to the initial url to make this selection.
You can also generate a SAML AuthnRequest on behalf of the RP. That is not something you can do with a simple query string.
More information about the users