Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. User clicks federated login link (the link will be provided in the invitation email).

  2. User selects IdP from discovery service

  3. IdP receives SAML authenticationRequest with 'Password', 'PasswordProtectedTransport', '', and '' set as the allowed/requested SAML authenticationContextClassRef values.

  4. IdP optionally asks user if they want to use MFA authentication

  5. SP/app receives SAML assertion with user's ePPN.

  6. SP/app looks up user's invitation and determines if the user is an RAO.

  7. If the user is an RAO, then the SAML authenticationContextClassRef in the received assertion is checked.

  8. If the RAO user did not authenticate with MFA, they are sent back to the IdP with only '' set as the allowed/requested SAML authenticationContextClass (since the user was identified as an RAO).  Otherwise, the user is a DRAO and they are logged in.


Sectigo Certificate Manager (


SCM) SAML SP entityID  (present in the InCommon metadata aggregate)