Discuss this help topic in SecureBlackbox Forum

Authenticate a client

When TElSAMLIdentityProvider receives a request from SP, it's processed automatically according to known SP metadata and IdP options. If the request is correct then a client is redirected to IdP for authentication. The authentication algorithm depends on IdP options and may be reduced to simple IP check, X.509 certificate authentication or login credentials check.

According to the standard SP authentication request may be "passive" and "active". Also required authentication scheme may be requested by SP or not. That’s why one of several cases is possible:

  1. If the request scheme is requested by SP in its request and this scheme is listed in TElSAMLIdentityProvider.SupportedAuthnContextClasses property, then it's used to authenticate a user.
  2. If the request has "passive" flag, then a scheme defined by TElSAMLIdentityProvider.DefaultPassiveAuthnContextClassRef property is used ('urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient' is a default one).
    • urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol – authentication involves client IP check and depends on TElSAMLIdentityProvider.BlockedClientIP property value, which should be assigned by sockets-related code upon client connect.
    • urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient – client side X.509 authentication. TElSAMLIdentityProvider.OnCertificateValidate event should be implemented to validate incoming certificates. If the certificate is validated, then such authentication is accepted without interaction with a client.
  3. If the request scheme is not passive and is not defined in a request, then 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' or 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password' scheme is used depending on whether TLS is configured or not for IdP. Both schemes require a client to enter login credentials.

How To articles about SAML Identity Provider (IdP)

Discuss this help topic in SecureBlackbox Forum