On 12/03/2014 14:13, Stefan Paetow wrote:
> If IdP1 defers authentication to another server behind it (i.e. IdP2,
> which is not part of the trust router network), would that be
> acceptable to the COI? That would again be a policy decision,
> wouldn't it?
Subcontracting is the responsibility of IDP1 and it will be 100% liable
for any actions of IDP2. No-one need know that it is actually happening
since messages are not signed by IDP2. Unless the COI agreement
specifically says that subcontracting is not allowed then IDP1 is free
to behave however it wants in relation to user authn, as long as it
abides by the COI agreement.
regards
David
|