You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When OpenAM works as SAML IdP, authorization is delegated to SP. By default, if authentication is complete, an assertion is issued to the SP.
There are several problems with this behavior.
If there is a requirement for different authentication for each SP, the feasibility depends on the SP specification (such as whether the authentication context class can be changed)
Behavior is not managed by IdP side because it depends on SP
If you have a mixture of SAML SPs and agent-protected applications that require multi-factor authentication, the difference in mechanism may require re-authentication. (The SAML SP handles OTP in the authentication chain, and the agent does OTP in session upgrade. )
Solution
Add policy based access control for SAML IdP.
When OpenAM processes a SAML authentication request, it checks the policy. Then It decides whether to issue an assertion, reject the request, or require additional authentication.
The text was updated successfully, but these errors were encountered:
Description
When OpenAM works as SAML IdP, authorization is delegated to SP. By default, if authentication is complete, an assertion is issued to the SP.
There are several problems with this behavior.
Solution
Add policy based access control for SAML IdP.
When OpenAM processes a SAML authentication request, it checks the policy. Then It decides whether to issue an assertion, reject the request, or require additional authentication.
The text was updated successfully, but these errors were encountered: