Skip to content

Client Knows End User

Mike Varley edited this page Jul 31, 2020 · 2 revisions

The Client, AS, and End-User have had a previous exchange, and the Client wishes to gain further assurance or resource access from the End-User, without having to perform the entire authorization sequence again.

Example (1): As a Client-A I am related to another Client-B (same company but different departments). Client-A and Client-B want to have a SSO experience with the End-User. Client-A shares its login assertion from the AS with Client-B; Client-B presents the login assertion to the AS for its own authentication / resource access. The AS understands the relationship with Client-A and Client-B and provides Client-B with the desired tokens without the need for a user interaction.

Example (2): Client got a level-1 authentication assurance from the AS from the End-User, but through the course of the session now requires a level-2. The Client contacts the AS for the 'step-up' - the AS is able to contact the End-User out-of-band (SMS? Push Notification? Email? Batphone?) to get the additional assurance and responds to the Client, without the Client losing contact with the End-User.

Example (3): The Client will accept a Citizenship Card as proof of eligibility, or 2 utility bills with consistent information. The Client does not want access to all the information immediately (for security best practices, and maybe there is an associated $$ cost). The Client will only access Citizenship Card data if possible. In the event that the Citizenship Data does not qualify, the Client will request access to the secondary resources. The AS should be able to decide if a subsequent interaction with the End-User is necessary.

Similar to: