Hi all,

I have several third-party SPs federated with the NAM IdP, and I'm
trying to figure out a way to make it so that the IdP will only send
assertions, or allow authentication requests for those SPs in
conjunction with a specific authentication level or contract. For
example, for SP A we may want to use username/password, and SP B only
2-factor. It seems to me there's no way to restrict this as someone who
knows what they are doing can simply use any contract with the intersite
transfer service, and federate with an SP. I know the SPs can send an
authncontext to require a certain contract on the IdP, but in most cases
these SPs will not send any context, so restricting this on the SP side
is not an option. Is that even possible on the NAM IDP? This a huge
need for us because we're selectively rolling out 2-factor
authentication and we'll be wanting for force some of these SPs to use
2-factor contracts and others not (yet). I'm also looking at the Trust
Level class, but that doesn't quite seem to be what I'm looking for.


adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=50281