Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

A SAML Authentication Request is initiated by the service provider / client to request the identity provider to authenticate a user. This request is typically generated when a user attempts to access a service that requires authentication and their current session is not authenticated. The request informs the identity provider that a user needs verification and prompts the IdP to either initiate a login process or verify the existing authentication state.

...

Scoping in the context of SAML is a mechanism used to refine or restrict the processing of authentication and attribute queries. This feature is particularly useful in federated identity environments, where a user's identity and authentication information might be managed across various external identity providers (IdPs). Scoping allows a service provider / client to specify which IdPs should be involved in the authentication process or from where the attributes should be sourced.

Purpose of Scoping in SAML

The main goals of using scoping in SAML include:

...

Controlling the IdP Selection: Directing the authentication request to specific IdPs, which can be crucial for ensuring that the authentication happens through an authorized and trusted provider.

...

.

...

Enhancing Security: By restricting the authentication process to predefined IdPs, scoping helps in mitigating potential security risks associated with unauthorized or rogue IdP instances.

Key Elements of SAML Scoping

...

  • ProxyCount: This optional attribute specifies the maximum number of proxying hops that are permitted to occur when processing this request. This feature is currently not yet implemented.

  • IDPList: A list of IdPs that are allowed or suggested to be used for handling the request. This is particularly useful in scenarios where the user or the service provider wants to limit which IdPs can respond.

...

  • ProviderID: The unique identifier of the IdP, which has to match the authentication scheme of the external identity provider in the CoreOne Suite Configuration.

  • Name: A human-readable name for the IdP, useful in user interfaces.

  • Loc: An optional attribute that provides a location (URL) where the IdP can be reached.

...

Consider a scenario where a service provider wants to ensure that authentication requests are handled only by specific IdPs. Here is an example of how a SAML AuthnRequest AuthN Request with scoping might be structured:

...