A principal can be authenticated to IdP not only by a standard schema (see the Authentication in IdP section), but by a delegation rule. Practically, the rule is a right to be authenticated on condition that a specific principal has already been authenticated.
Say, principal B has delegated authentication to principal A. Now if A is authenticated, then B is considered to be authenticated too. The delegation rule is presented schematically in the following way: A->B. An SP is allowed to add or remove A->B rules only if B is a local account at this SP.
Note: Since operations performed via the interface are subject to change, they are not described in details.
Previous page
Next page
Locate page