Ability to specify an Authentication Method when using the IdP initiated login flow?

Cantor, Scott cantor.2 at osu.edu
Thu Dec 31 14:56:17 EST 2015

> In reading the documentation, I understand that an RP can request/require
> the type of authentication to be performed, but is there a way to do the
> same thing when an RP isn't involved in the process (IdP initiated login flow)?

An RP is aways involved, you're just identifying it with a parameter.

> I'm working to extend the Shibboleth reference architecture for AWS (which
> uses the IdP initiated flow exclusively) to show a pattern where highly
> sensitive operations require the stronger authentication, but don't want to
> go so far as to require the stronger auth form universally.

If you mean universally as in "any relying party", that's fine, identifying the defaultAuthenticationMethod is a per-RP setting.

> I've been able to construct a good working POC end-to-end, but right now
> my only solution for "selecting" the authentication mechanism is by altering
> the defaultAuthenticationMethod of the DefaultRelyingParty.

Then don't do it for the default RP.

> Instead, I'm
> really hoping that there's a query string parameter or something similar that I
> can append to the initial url to make this selection.

You can also generate a SAML AuthnRequest on behalf of the RP. That is not something you can do with a simple query string.

-- Scott

More information about the users mailing list