Set up SAML authentication context in Digital Access
This article includes updates for Smart ID 20.11 and Digital Access 6.3.0.
In a federated scenario where Smart ID Digital Access component works as a SAML identity provider, service providers may ask for a certain Level of Assurance (LoA) by defining one or several corresponding SAML authentication contexts in the request to Digital Access during the authentication. Only those authentication methods that are qualified to provide the corresponding security are then shown to the user. With Digital Access you can assign one or several authentication contexts to each authentication method to define which LoA that is supported by a specific authentication method.
Digital Access only shows those authentication methods during the authentication, whose Authentication Context matches the values in the SAML request.
If none of the authentication methods supports the requested authentication context, all methods are shown to the user. This can happen if the service provider does not ask for a certain authentication context but allows one with higher level of assurance and therefore higher security.
In a SAML federated scenario where Digital Access acts as an IDP proxy, a similar behavior can be achieved by setting the LoA translation group property. LoA translation groups define the conditions when to convert the AuthNContextClassRef
in the SAML response to a new value.
A scenario when LoA translation groups can be useful is when a SAML IDP Proxy is used and the external IDP is unable to send back the expected AuthNContextClassRef
. This translation also works in case of Digital Access acting as a SAML IDP.
With Digital Access it is also possible to define authentication contexts used for signing. See Use authentication methods in Digital Access for signing over SAML.