Multiple authentication levels for a single application

Guillaume Rousse guillaume.rousse at renater.fr
Tue Aug 27 06:43:46 EDT 2019


Hello list.

I'm currently experimenting with strong authentication requirements. 
It's quite easy when a given application requires the same 
authentication method for all its users, by having a 
<samlp:RequestedAuthnContext> element inserted in the SAML request by 
the SP, and letting the IdP compute which authentication flow matches 
the request.

However, it seems a little more complex to have different requirements 
for different user classes in a single application. Such a scenario 
would for instance mandate MFA authentication for admins, while 
password-based authentication would be enough for normal users. Whereas 
I'm confortable with the access control implementation in the 
application itself, I don't see how the let the user choose which 
authentication method to use.

Either I need a way for the SP to issue two different kind of login 
requests, each using a different content in 
<samlp:RequestedAuthnContext> element, so as to have a single IdP select 
the correct authentication flow accordingly. I guess using different 
session initiators handlers, at different URLS, would be enough, but 
then I'll need different authentication links/buttons in the application 
( "login as user", and "login as admin").

Either I use two different IdPs, each implementing only one 
authentication flow (password for one, MFA for the other), and I use a 
discovery service for the user to select which one to use. In this case, 
each IdP will always reply with the relevant authentication result, 
whatever the content of the <samlp:RequestedAuthnContext> element, 
meaning simplified SP configuration.

I can also imagine using a single IdP, with MFA flow, and a conditional 
flow selection to automatically short-circuit the second factor 
authentication for users not needing it, but then I'll need a way to 
share the list of admins between the application and the IdP itself to 
avoid duplication and incoherences.

Advices and suggestions welcome here.

Regards.
-- 
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20190827/15720a67/attachment.p7s>


More information about the users mailing list