7.6 Contracts Assigned to SAML 2.0 Service Provider
During federation, when a service provider initiates an authentication request, contract information may not be available. If the contract information is not available, the Identity Server executes a default contract for validating the user. The step up authentication feature enables you to assign a default contract for service providers in such scenarios.
The following scenario helps you understand the execution of contracts that are assigned to the SAML 2.0 service provider.
Figure 7-4 Step Up Authentication example with two applications:
There are two applications Payroll and HR web applications protected through different service providers and are using Access Manager Identity Server as identity provider. The user wants to use the name/password form contract whenever the user accesses the HR application and wants to use the higher level contract say X509 for the Payroll application. The Identity Server provides ability to execute the appropriate contract that has been assigned to the service provider instead of executing the default contract.
The following procedure allows you to assign a specific contract to the service provider.
-
Click on Devices > Identity Servers > Edit > > SAML2.0.
-
Click on configured service provider.
-
Go to Options > Step Up Authentication contracts and select the contracts from the Available contracts list.
The following table lists the behavior of a service provider request.
|
Service Provider Request |
Result (Identity Server Response if the user is not authenticated) |
|---|---|
|
Service provider request has no contract information to be executed at the Identity Server. |
|
|
1. Identity Server has no contracts set for this service provider as in Step 3. |
Execute default contract for validating the user and default contract name will be sent in the response. |
|
2. Identity Server has contract C1 set for this service provider as in Step 3. |
C1 will be executed for validating the user and C1 will be sent in response. |
|
Service provider requests execution of contract C1 at the Identity Server. |
|
|
1. Identity Server has no contracts set for this service provider as in Step 3. |
C1 will be executed for validating the user and C1 will be sent in response. |
|
2. Identity Server has contract C1 set for this service provider as in Step 3. |
C1 will be executed for validating the user and C1 will be sent in response. |
|
3. Identity Server has contract C2 set for this service provider. C2 has trust level check disabled. |
C2 will be executed for validating the user and C2 will be sent in response. (Note: This is as good as C1 not available at the Identity Server) |
|
4. Identity Server has contract C2 set for this service provider. C2 has trust level check enabled. |
If trust level of C2 >= trust level of C1, then C2 will be executed and C2 will be sent in response. If trust level of C2 < trust level of C1, then C1 will be executed and C1 will be sent in response as in the previous Access Manager 3.2 release. If C1 is not available at Identity Server, then C2 is executed and C2 is sent in the response. |