Assurance

["Cantor, Scott" <>]

On 9/8/11 6:14 PM, "Roy, Nicholas S" 
<>
 wrote:
>
>The wiki you created says (under the IdP Behavior section):
>
>"Is a custom login handler required?"
>
>My questions are: Can the IdP send a person to different login handlers
>depending on the IAQ desired in the AuthnRequest (for instance, could I
>make a determination that someone needs Silver and kick them over to an
>X.509 cert mapping authN handler for that, but for everything else, just
>use username and password?)

Yes, but there's a downgrade bug right now in doing that.

>  And, for those SPs that can't request a specific IAQ in the
>AuthnRequest, if the "right knob" can be twiddled with policy to make the
>IdP aware that that SP needs a  specific IAQ, can I then use a different
>login handler to handle that?

If there is, it would be on the relying party element, a default
authentication method or something along those lines.

-- Scott