Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How should a SAML IDP proxy signal the availability of identity attributes? #22

Open
harrdou opened this issue Nov 11, 2019 · 0 comments

Comments

@harrdou
Copy link
Collaborator

harrdou commented Nov 11, 2019

SAML relying parties will normally start an authentication flow by requesting an anonymous credential authentication first. Once they receive the credential PAI from this first response they will be able to check for it in their mapping database and determine if the user is already enrolled.

If there is no PAI mapped then the RP needs to know whether the user selected an anonymous credential provider (e.g. GCKey or CBS) or a trusted digital identity provider (e.g. a Province). This will determine what the next step in the enrollment flow will be.

There are two possible mechanisms that the RP could use to do this:

  1. Send a second <samlp:AuthnRequest> to the IDP proxy requesting the desired attributes, and see if any are returned,
  2. Have the IDP proxy signal in the original response whether an identity assertion is available.

I think the second approach would probably be easier for the RP to implement. It also avoids the need for a potentially unnecessary round trip to the IDP and back.

If we go with option 2, the question is then how best to signal, in the credential authentication assertion, that the user selected a trusted identity provider and therefore an identity assertion is also available if needed. There are 3 places in the <saml:Assertion> this could go:

  1. We could add an additional <saml:AuthnContextClassRef> (along with the credential LoA) to flag that an identity authentication also took place. This could indicate the level of identity assurance.
  2. We could populate <saml:AuthenticatingAuthority> with the issuer of the identity (i.e. which province the user chose)
  3. We could add a <saml:Attribute> with a boolean value indicating whether or not an identity authentication took place.

These 3 options are not mutually exclusive. CATS could require the proxy to do all 3 of the above but that would probably be overkill.

I'm looking for feedback from RPs as to which of the above they would prefer.

-D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant