Step up Authentication Example for an Identity Provider Initiated Single Sign-On Request

Setup: Let us assume that:

  • Access Manager is acting as an identity provider.

  • The following three contracts in Identity Server are configured:

    • name password basic contract with Authentication level as 10

    • name password form contract with Authentication level as 20

    • secure name password contract with Authentication level as 30

      NOTE:Enable the Satisfiable by a contract of equal or higher level option for contracts with authentication level 10 or 20 to avoid prompting for authentication when a user is already authenticated against the contract with level 30.

  • The name password form contract for a service provider named SP_A is configured in the identity provider.

    For information about creating contracts, see Configuring Authentication Contracts.

Configuration: Complete the following steps:

  1. In Identity Server, configure the service provider as a trusted provider.

    For more information, see Section 2.8.3, Managing Trusted Providers.

  2. In the service provider, configure Identity Server as a trusted provider.

    For more information, see Section 2.8.3, Managing Trusted Providers.

  3. In Identity Server, configure the service provider with the required authentication contracts.

    For information about how to configure a service provider, see Defining Options for SAML 2.0, To Define Options for Liberty Service Provider andDefining Options for SAML 1.1 Service Provider.

Results: The following are four possible scenarios:

  • If the user is authenticated with the name password basic contract before making an Intersite Transfer Service request to SP_A, Identity Server performs step up to the name password form authentication.

  • If the user is authenticated with the name password form contract before making an Intersite Transfer Service request to SP_A, Identity Server does not ask for the authentication.

  • If the user is authenticated with the secure name password contract before making an Intersite Transfer Service request to SP_A, Identity Server does not ask for the authentication.

  • If the user is not authenticated while making an Intersite Transfer Service request to SP_A, Identity Server performs step up to the name password form authentication.

The following diagram illustrates the workflow:

Workflow:

  1. A user tries to authenticate in Identity Provider.

  2. The user is prompted to authentication using the Name Password Basic contract.

  3. The user enters the credentials.

  4. The Name Password Basic contract is authenticated in Identity Provider and added to the user session. The Name Password Basic contract is the default contract in Identity Provider.

  5. The user logs in to Identity Provider.

  6. The user makes an Intersite Transfer Service request to SP_A.

  7. Identity Provider prompts for the authentication using the Name Password Form contract.

  8. The user enters the credentials.

  9. The Name Password Form contract is authenticated in Identity Provider and added to the user session.

  10. The user is redirected to SP_A.

For information about service provider initiated single sign-on and its example, see Contracts Assigned to a SAML 2.0 Service Provider.