Multiple authentication levels for a single application
Guillaume Rousse
guillaume.rousse at renater.fr
Tue Aug 27 06:43:46 EDT 2019
Hello list.
I'm currently experimenting with strong authentication requirements.
It's quite easy when a given application requires the same
authentication method for all its users, by having a
<samlp:RequestedAuthnContext> element inserted in the SAML request by
the SP, and letting the IdP compute which authentication flow matches
the request.
However, it seems a little more complex to have different requirements
for different user classes in a single application. Such a scenario
would for instance mandate MFA authentication for admins, while
password-based authentication would be enough for normal users. Whereas
I'm confortable with the access control implementation in the
application itself, I don't see how the let the user choose which
authentication method to use.
Either I need a way for the SP to issue two different kind of login
requests, each using a different content in
<samlp:RequestedAuthnContext> element, so as to have a single IdP select
the correct authentication flow accordingly. I guess using different
session initiators handlers, at different URLS, would be enough, but
then I'll need different authentication links/buttons in the application
( "login as user", and "login as admin").
Either I use two different IdPs, each implementing only one
authentication flow (password for one, MFA for the other), and I use a
discovery service for the user to select which one to use. In this case,
each IdP will always reply with the relevant authentication result,
whatever the content of the <samlp:RequestedAuthnContext> element,
meaning simplified SP configuration.
I can also imagine using a single IdP, with MFA flow, and a conditional
flow selection to automatically short-circuit the second factor
authentication for users not needing it, but then I'll need a way to
share the list of admins between the application and the IdP itself to
avoid duplication and incoherences.
Advices and suggestions welcome here.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20190827/15720a67/attachment.p7s>
More information about the users
mailing list