SAML relying parties will normally start an authentication flow by requesting an anonymous credential authentication first. Once they receive the credential PAI from this first response they will be able to check for it in their mapping database and determine if the user is already enrolled.
If there is no PAI mapped then the RP needs to know whether the user selected an anonymous credential provider (e.g. GCKey or CBS) or a trusted digital identity provider (e.g. a Province). This will determine what the next step in the enrollment flow will be.
There are two possible mechanisms that the RP could use to do this:
1) Send a second <samlp:AuthnRequest> to the IDP proxy requesting the desired attributes, and see if any are returned,
2) Have the IDP proxy signal in the original response whether an identity assertion is available.
I think the second approach would probably be easier for the RP to implement. It also avoids the need for a potentially unnecessary round trip to the IDP and back.
If we go with option 2, the question is then how best to signal, in the credential authentication assertion, that the user selected a trusted identity provider and therefore an identity assertion is also available if needed. There are 3 places in the <saml:Assertion> this could go:
1) We could add an additional <saml:AuthnContextClassRef> (along with the credential LoA) to flag that an identity authentication also took place. This could indicate the level of identity assurance.
2) We could populate <saml:AuthenticatingAuthority> with the issuer of the identity (i.e. which province the user chose)
3) We could add a <saml:Attribute> with a boolean value indicating whether or not an identity authentication took place.
These 3 options are not mutually exclusive. CATS could require the proxy to do all 3 of the above but that would probably be overkill.
I'm looking for feedback from RPs as to which of the above they would prefer.
SAML relying parties will normally start an authentication flow by requesting an anonymous credential authentication first. Once they receive the credential PAI from this first response they will be able to check for it in their mapping database and determine if the user is already enrolled.
If there is no PAI mapped then the RP needs to know whether the user selected an anonymous credential provider (e.g. GCKey or CBS) or a trusted digital identity provider (e.g. a Province). This will determine what the next step in the enrollment flow will be.
There are two possible mechanisms that the RP could use to do this:
1) Send a second
<samlp:AuthnRequest>to the IDP proxy requesting the desired attributes, and see if any are returned, 2) Have the IDP proxy signal in the original response whether an identity assertion is available.I think the second approach would probably be easier for the RP to implement. It also avoids the need for a potentially unnecessary round trip to the IDP and back.
If we go with option 2, the question is then how best to signal, in the credential authentication assertion, that the user selected a trusted identity provider and therefore an identity assertion is also available if needed. There are 3 places in the
<saml:Assertion>this could go:1) We could add an additional
<saml:AuthnContextClassRef>(along with the credential LoA) to flag that an identity authentication also took place. This could indicate the level of identity assurance. 2) We could populate<saml:AuthenticatingAuthority>with the issuer of the identity (i.e. which province the user chose) 3) We could add a<saml:Attribute>with a boolean value indicating whether or not an identity authentication took place.These 3 options are not mutually exclusive. CATS could require the proxy to do all 3 of the above but that would probably be overkill.
I'm looking for feedback from RPs as to which of the above they would prefer.
-D