The authentication method determines how a user will authenticate. The most common example is by username & password. But there are a number of possibilities, ranging from no authentication, to PIN code, to biometric authentication.
The used method determines the strength of the authentication. It is also referred to as the Authentication Context.
- Display Name: name for the Authentication Method.
- SAML2 context provided by SP: This context reference is used to look up the authentication method if it is requested by the Service Provider (type: SAML2).
- OpenID context provided by SP: This context reference is used to look up the authentication method if it is requested by the Service Provider (type: OpenID Connect).
Below is a list of all identity providers. The administrator can enable the identity providers which offer this specific authentication context.
The Authentication Context Ref Class can be provided if the context reference deviates from the one that is provided by the Service Provider.
The administrator can determine additional context parameters that need to be met before the user can use this authentication method. For example, if a user is accessing from an external location, it is no longer preferred that he can proceed on a simple password. In this case, the "username & password" authentication method can be set to "deny."
It is recommended to use the "derived attributes" workflow to determine any context-specific parameters. Because the user is not yet authenticated, there are no user attributes available to validate. The workflow can be used to build a context from the header attributes (eg. source IP address, device ID, previous attempts, ...).