AnsweredAssumed Answered

SAML SP multiple authlevels for a single IdP

Question asked by CBertagnolli Champion on Mar 10, 2015
Latest reply on Mar 12, 2015 by CBertagnolli

Ok the SAML setups needed for SiteMinder are insanely confusing and not straight forward at all -- been pouring over the docs which haven't been any real help...so could really use some pointers here.

 

I've got a very simple requirement to have a single remote IdP. I need to create SMSESSION at appropriate level depending on the authentication context returned.

 

Example

Request 1 - Send TimeSyncToken and IdP enforces two-factor token authentication. Response assertion contains the "TimeSyncToken" class and SiteMinder creates a session at Level 3

 

Request 2 - Send Smartcard and IdP enforces smartcard authentication.Response assertion contains the "TimeSyncToken" class and SiteMinder creates a session at Level 4.

 

 

Is this doable with SiteMinder? If so, how can I do this when an SP -> IdP partnership only has one level assigned (even though you can assign multiple context references)? And how do you dynamically send different contexts in a request (i.e., same partnership send context A in request 1 and context B in request 2)?

Outcomes