Is there a way to set an Identity Server Role based on the authentication method or contract used?

I need to solve this scenario:

If a person is a staff member, do step-up authentication.

If a person is a student, use the default authentication.

My idea to solve this:

Write risk-based rules that test what method, or contract, was used at login time.  If the contract was default form, then reauthenticate with an AA contract.

Or am I going about this the wrong way?

   David.

  • 0

    Hi

    Depends on what you intent, if you want to to a step up after initial authentication based on if you are staff or student then I would do a post auth risk based policy and use a ldap attribut that identify if you are staff or student and based on that do a additional authentication.

    You probaly might have to set the priority on the contract you are using the risk policy in higher then the default contract so staff don't get sso from a other protected resource.

    I'm not sure that you can check what contract was used in a previews authentication and based on that do a stepup for a specific group.

    But on the other hand if the users has used the AA contract at first auth then it will be sso as long as AA contract got the same prio and "Satisfiable by a contract of equal or higher level" is set in the risk based contract

    /Lennart

  • 0 in reply to 

    Thank you, using the group membership LDAP attribute worked.