I've never actually done it with query string, that's why I said probably .
If using a query string, I would imagine you would not need a different directory.Should be simple enough to test out unless someone else chimes in that has definitely done it that way.
The actual setup I've used is two different directory paths - was just easier in our setup to do it this way.
----------------
Example setup below. Downside is that because it's not 'dynamic' (i.e., authentication type determined by the requested authncontext) the entire SP is forced to step-up; unless you use multiple entityIDs of course.
Auth Schemes
Auth Scheme #1
Name = Password
Level = 2
Type = HTLM Forms
Auth Scheme #2
Name = Token
Level = 3
Type = RSA Token
IIS
/login/low/redirect.aspx
/login/high/redirect.aspx
Application Object
Name = Login App
Component #1
/login/low/
Scheme = Password
Component #2
/login/high/
Scheme = Token
SAML Partnership that requires lower level
Name: MyLowApp
Authentication Method: Local
Authentication URL: https://sso.mydomain.com/login/low/
Automatically Detect Authentication Class
AuthnContext Template: MyTemplate
Minimum Authentication Level = 2
SAML Partnership that requires higher level
Name: MyHighApp
Authentication Method: Local
Authentication URL: https://sso.mydomain.com/login/high/
Automatically Detect Authentication Class
AuthnContext Template: MyTemplate
Minimum Authentication Level = 3
=================
- I go to MyLowApp, get redirected to IDP with authnrequest
- I am presented log in form allowing Password or Token (from the /login/low/ auth URL scheme)
- I log in with my Password. My session is created at level=2 and redirected back to MyLowApp SP with assertion containing authncontext=Password
- I successfully access MyLowApp
- I now visit MyHighApp, get redirected to IDP with authnrequest
- My session is not at a high enough level, IDP denies generation of assertion
- IDP redirects me to the login URL for MyHighApp
- I am presented a log in form requesting I stepup to Token (from the /login/high/ auth URL scheme)
- I authenticate with my Token. My session is created at level=3 and redirected back to MyHighApp SP with assertion containing authncontext=TimeSyncToken
- I successfully access MyHighApp
All redirects are using the normal /affwebservices/public/saml2sso, the authentication URL + minimum authlevel on the partnership would be determining the 'step-up' behavior.