...
SPs will rely on local policy to decide how to handle incoming IAQs. For example if the SP requires InCommon Bronze but receives InCommon Silver, that should be acceptable. How is an SP supposed to "know" this? Is there a role for InC to provide "advice"?
IdP behavior
Ideally IdPs will receive a desired IAQ from an SP in an AuthnRequest to initiate the process. The IdP compares the requested IAQ to its matching rule and interacts with the local IdM system to determine if the current user meets the requirements. If so, the appropriate IAQ is returned in the AuthnContext element in the assertion.
- What matching rules are supported?
- If the SP requests Bronze, is it allowable for the IdP return Silver? How does the IdP "know" the mapping? Is there a role for InC to provide "advice"?
- Is it possible and/or desirable for the IdP to return multiple IAQs? No, not using the AuthnContext element.
- How does the Shib (or SSP) IdP interact with local IdM? Is a custom login handler required?
...