Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. User clicks federated login link.

  2. User selects IdP from discovery service

  3. IdP receives SAML authenticationRequest with 'Password', 'PasswordProtectedTransport', '', and '' set as the allowed/requested SAML authenticationContextClassRef values.

  4. IdP optionally asks user if they want to use MFA authentication

  5. SP/app receives SAML assertion with user's ePPN.

  6. SP/app looks up user's invitation and determines if the user is an RAO.

  7. If the user is an RAO, then the SAML authenticationContextClassRef in the received assertion is checked.

  8. If the RAO user did not authenticate with MFA, they are sent back to the IdP with only '' set as the allowed/requested SAML authenticationContextClass (since the user was identified as an RAO).  Otherwise, the user is a DRAO and they are logged in.

Comodo Certificate Manager (CCM) SAML SP


entityID  (present in the InCommon metadata aggregate)