summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorMikaël Ates <mikael.ates@gmail.com>2012-04-19 15:44:30 (GMT)
committerMikaël Ates <mikael.ates@gmail.com>2012-04-19 15:46:48 (GMT)
commit2cf3fbb26cf08312e978db630a75f24d44753004 (patch)
tree9388b0c57fcc7352153dbd21fe38c0c3b15d17a3 /doc
parent49f03a339e2ce09a97b557c3d67947f6aa9395fa (diff)
downloadauthentic-2cf3fbb26cf08312e978db630a75f24d44753004.zip
authentic-2cf3fbb26cf08312e978db630a75f24d44753004.tar.gz
authentic-2cf3fbb26cf08312e978db630a75f24d44753004.tar.bz2
[doc] Authentic 2 SAML2 SP, how a transient nameID can be handled.
Diffstat (limited to 'doc')
-rw-r--r--doc/config_saml2_idp.rst39
-rw-r--r--doc/config_saml2_sp.rst4
2 files changed, 38 insertions, 5 deletions
diff --git a/doc/config_saml2_idp.rst b/doc/config_saml2_idp.rst
index da8e7b1..0d8a6d6 100644
--- a/doc/config_saml2_idp.rst
+++ b/doc/config_saml2_idp.rst
@@ -61,11 +61,11 @@ See below about configuring the identity provider with policies:
:width: 800 px
:align: center
-Configure the SAML2 identity provider options
----------------------------------------------
+Apply a SAML2 identity provider options policy
+----------------------------------------------
The SAML2 options of the identity provider are configured using idp options
-policies.
+policies. For the explanation of the options see the following section.
See the *administration with policy principle* page :ref:`administration_with_policies`.
@@ -111,6 +111,39 @@ initiated.
:width: 800 px
:align: center
+SAML2 identity provider options explained
+-----------------------------------------
+
+Behavior with persistent nameID
+_______________________________
+
+This option applies when an assertion with a persistent nameID is received and
+the nameID is not recognized as an existing federation.
+
+Two values are possible: "Create new account" and "Account linking by authentication".
+
+The value "Create new account" makes Authentic 2 create a user account associated
+to the nameID received.
+
+The value "Account linking by authentication" makes Authentic 2 ask the user to
+authenticate with an existing account to associate the nameID to this account.
+
+Behavior with transient nameID
+_______________________________
+
+This option applies when an assertion with a transient nameID is received and
+there isn't a session opened for the user yet.
+
+Two values are possible: "Open a session" and "Ask authentication".
+
+The value "Open a session" makes Authentic 2 open a session.
+
+The value "Ask authentication" makes Authentic 2 ask for a user authentication,
+even when a valid assertion is received. That may have sense for instance if
+the SSO login is used only to receive signed attributes for users with existing
+accounts.
+
+
How to refresh the metadata of an identity provider hosted at a Well-Known Location?
====================================================================================
diff --git a/doc/config_saml2_sp.rst b/doc/config_saml2_sp.rst
index f0c2079..166d6ee 100644
--- a/doc/config_saml2_sp.rst
+++ b/doc/config_saml2_sp.rst
@@ -57,8 +57,8 @@ See below about configuring the service provider with policies:
:width: 800 px
:align: center
-Configure the SAML2 service provider options
---------------------------------------------
+Apply a SAML2 service provider options policy
+---------------------------------------------
The SAML2 options of the service provider are configured using sp options
policies.