SSO and multi-factor authentication

I'm interested in how the following scenario would be managed using SiteMinder and OpenSSO

Given two web applications, and mandated to use SSO across them. App A is a simple application that requires only a username / password combination. App B requires multi-factor authentication.

How should we manage the differing authentication levels across the two applications? Is there a way of expressing this in tools like SiteMinder, so a user can be assigned a "base authentication level" if they sign in to App A, but if they hit App B, they will be challenged for the second factor?

My instinct is that the second factors need to be managed at the SiteMinder level, because App B is sitting behind it, and from its perspective authentication is a binary decision that is mandated by the App Server / SSO manager: i.e. the application is "told" that users are authenti开发者_StackOverflow中文版cated or not....App B wont have a handle on the level of authentication that the user has.

Does SiteMinder manage this idea of varying levels of authentication, is it something that can perhaps be expressed in SAML?

I would have thought this is a common pattern that arises, but I cannot seem to find any documents on configuration, best practices etc.

Thanks in advance,

Fintan

This is something SiteMinder could definitely do. Sometimes it is referred to as "step-up authentication" - which basically means authenticate the user with a stronger form of authentication when the need arises.

It should be controlled centrally by SiteMinder's policy engine. Other Web Access Management products have a similar approach.

SAML may come into play when you're talking about federating to applications outside of your domain. Within SAML you can specify an AuthnContext which indicates to other party what authentication level is required/has been performed.

It seems the feature in SiteMinder to fulfill this requirement is the Protection Level assigned to each Realm. This can be used to simulate that extra level of authorization that depends on how / where you originally authenticated. At least this is how I'm designing our solution.