Is this a correct use case for SAML?

Question

I have a couple of identity providers that require some info set from the end user to be entered for authentication.

When user clicks on a 'Authenticate with ... ' button in Service Provider web page he gets redirected with SAML AuthnRequest to a chosen identity provider.

Then Identity Provider shows a web page where he asks to submit a form with some fields for example: Firsname, Lastname, Address and then checks if a person really lives by that address.

If check succeeded, then SAML response is returned with status Success and Firsname, Lastname, Address are returned as attributes.

If check fails, then SAML response is returned with status AuthnFailed having same attributes.

My question is whether it is a correct usage of SAML or not?

How should I properly configure it to ask for authentication every time (no session with identity provider should be established)?

Answer 1

You are essentially correct and it is valid use case. However, if Auth fails at the IDP, you will get a SAMLResponse message with a "failed" status (probably "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" and no user information is returned (since Auth failed).

In your AuthnRequest your SP generates, you can set the optional ForceAuthn=true attribute. If it is supported by the IDP and set to, ""true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met." (from Sect 3.4.1 Element in the SAML 2.0 Core spec).

HTH - Ian