Discuss this help topic in SecureBlackbox Forum
Authenticate a client
A request received from SP by TElSAMLIdentityProvider is processed automatically, in accordance with known SP metadata and IdP options.
If the request is correct, the client is redirected to the IdP for authentication.
The authentication algorithm depends on IdP options and may be reduced to a simple IP check, X.509 certificate authentication, or login credentials check.
According to the standard, SP authentication request may be either "passive" or "active", and the required authentication scheme may, or may not be requested by the SP.
Therefore, different combinations are possible:
- If the request scheme is requested by the SP, and this scheme is listed in TElSAMLIdentityProvider.SupportedAuthnContextClasses property, it will be utilized for authentication.
- If the request has the "passive" flag set, the scheme defined by TElSAMLIdentityProvider.DefaultPassiveAuthnContextClassRef property will be utilized ('urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient' is the default one).
- urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol - authentication involves client IP check and depends on TElSAMLIdentityProvider.BlockedClientIP property value. This property should be assigned by the sockets-related code upon client's connect.
- urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient - client side X.509 authentication. TElSAMLIdentityProvider.OnCertificateValidate event handler should be implemented to validate the incoming certificates. If the certificate is valid, the authentication is accepted without interaction with a client.
- If the request scheme is not passive and is not defined in the request, one of 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' or 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password' schemes is used, depending on whether TLS is configured for IdP. Both schemes require a client to enter login credentials.
How To articles about SAML Identity Provider (IdP)
Discuss this help topic in SecureBlackbox Forum