Background:
I have an websphere portal application and we have implemented bookmark style SSO (single sign on) initiated from service provider (Application). The implementation is done by configuring a Trust association interceptor in WebSphere portal server. We have developed a custom module which implements com.ibm.wsspi.security.web.saml.AuthnRequestProvider. The custom module creates a SAML request which is sent to IDP (identity provider) and, upon validating the request the ID presents the user with the login page and sends back the SAML response to Single sign on ACS URL specified in the TAI config.
Requirement
We are trying to implement an on demand step up(OTP validation with IDP) of a logged in user, only when a user tries to perform certain transaction in the application like changing an address of an applicant.
Can you please guide me what would be best way to achieve this? How can I initiate a saml flow for this. The idp requires us to send saml request which would indicate a OTP validation request. Where should the IDP send back the saml response after OTP validation? In the SSO flow it uses an ACS url to send the response
------------------------------
Ratnesh Ojha
------------------------------