You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Given a user authenticated with password and email (or with an old IdP about to be decomissioned), you want to authenticate this user via a new SAML IdP in the future. This change of authentication is called binding.
The proposed Solution
What happens behind the scenes (on the protocol level, basic idea):
The user authenticates with her old credentials.
Now, she requests a SAML 'AuthnRequest' from the wire backend for the new IdP.
She jumps through the hoops of authenticating to wire with thew new IdP, but presenting the wire session cookie obtained in 1. in all requests to the wire backend.
Wire obtains the AuthnResponse from the new IdP together with the valid wire session cookie, and can therefore safely bind the user to the new IdP.
However, this needs integration testing against frontend(s) before it can be considered fully implemented, and there implementing this on any client is not scheduled at the time of writing this issue.
One client platform (eg., web) may be enough, since users are only required to use that platform once, for the actual binding process.
The text was updated successfully, but these errors were encountered:
The Problem
Given a user authenticated with password and email (or with an old IdP about to be decomissioned), you want to authenticate this user via a new SAML IdP in the future. This change of authentication is called binding.
The proposed Solution
What happens behind the scenes (on the protocol level, basic idea):
AuthnResponsefrom the new IdP together with the valid wire session cookie, and can therefore safely bind the user to the new IdP.Status
The backend part is implemented (see test suite).
However, this needs integration testing against frontend(s) before it can be considered fully implemented, and there implementing this on any client is not scheduled at the time of writing this issue.
One client platform (eg., web) may be enough, since users are only required to use that platform once, for the actual binding process.
The text was updated successfully, but these errors were encountered: