You can use Access Manager as an identity provider for several service providers. You can configure a specific authentication contract that is required for a service provider. If you have configured more than one authentication contract for a service provider, the contract with minimum level is selected.
When providing authentication to a service provider, Identity Server ensures that the user is authenticated by the required contract. When a user is not authenticated or when a user is authenticated, but the authenticated contracts do not satisfy the required contracts, user is prompted to authenticate with the required contract. This is called step-up authentication.
If no required contract is configured, then the default contract is executed.
Perform the following steps to define options for a WS Federation service provider:
Click Devices > Identity Servers > Servers > Edit > WS Federation > Service Provider > Options.
Select the required step-up authentication contracts from Available contracts and move them to the Selected contracts list. This enables the step-up authentication for the service provider.
NOTE:Only the contract that is configured first in Selected contracts will be executed.
Only local authentication contracts can be used for WS Federation service provider.
Click OK > Apply.