Contracts Assigned to a WS Federation Service Provider

During federation, when a service provider initiates an authentication request, contract information may not be available. If the contract information is not available, Identity Server executes a default contract for validating the user. You can use the step-up authentication to assign a default contract for service providers in such scenarios.

The following scenario helps you understand the execution of contracts that are assigned to a WS Federation service provider:

Figure 5-17 Step-up authentication example with two applications

Two web applications Payroll Portal and HR Portal that are protected through different service providers use Access Manager Identity Server as an identity provider. A user wants to use the name/password form contract whenever the user accesses the HR application and wants to use the higher level contract X509 for the Payroll application. Identity Server provides ability to execute the appropriate contract that has been assigned to the service provider instead of executing the default contract.

Perform the following steps to assign a specific contract to a service provider:

Click Devices > Identity Servers > Edit > WS Federation.
Click the configured service provider.
Go to Options > Step Up Authentication contracts and select the contracts from the Available contracts list.

NOTE:When using the service provider (SP) initiated login with a WS Federation SP, the SP configuration can impact the selection of the Access Manager contract for authentication depending on the values sent in WS Fed authentication request. To make it work properly, you must define your Access Manager contract URI to match with the request sent by the service provider.