Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual page 211

This option should be enabled only when you know the identity provider is available 99.999%
of the time or when the service provider is dependent upon this identity provider for
authentication.
5 Click OK twice, then update the Identity Server.
Understanding Comparison Contexts
When a service provider makes a request for an identity provider to authenticate a user, the
authentication request can contain a class or type and a comparison context. The identity provider
uses these to determine which authentication procedure to execute. There are four comparison
contexts:
Exact: Indicates that the class or type specified in the authentication statement must be an

exact match to at least one contract.
For example, when the comparison context is set to exact, the identity provider uses the URI in
the request to find an authentication procedure. If an exact URI match is found, the user is
prompted for the appropriate credentials. If an exact match is not found, the user is denied
access.
Better: Indicates the contract that must be stronger than the class or type specified in the

authentication statement.
If the identity provider is a Novell Identity Server, the Identity Server first finds the specified
class or type and its assigned authentication level. It then uses this information to find a
contract that matches the conditions. For example if the authentication level is set to 1 for the
class or type, the identity provider looks for a contract with an authentication level that is
higher than 1. If one is found, the user is prompted for the appropriate credentials. If more than
one is found, the user is presented with the matching cards and is allowed to select the contract.
If a match is not found, the user is denied access.
 Minimum: Indicates that the contract must be as strong as the class or type specified in the
authentication statement.
If the identity provider is a Novell Identity Server, the Identity Server first finds the specified
class or type and its assigned authentication level. It then uses this information to find a
contract that matches the conditions. For example if the authentication level is set to 1 for the
class or type, the identity provider looks for a contract with an authentication level of 1 or
higher. If one is found, the user is prompted for the appropriate credentials. If more than one is
found, the user is presented with the matching cards and is allowed to select the contract. If a
match is not found, the user is denied access.
Maximum: Indicates that contract must as strong as possible without exceeding the strength of

at least one of the authentication contexts specified.
If the identity provider is a Novell Identity Server, the Identity Server first finds the specified
classes or types and their assigned authentication levels. It then uses this information to find a
contract that matches the conditions. For example if the authentication level is set to 1 for some
types and 3 for other types, the identity provider looks for contracts with an authentication level
of 3. If a match or matches are found, the user is presented with the appropriate login prompts.
If there are no contracts defined with a authentication level of 3, the identity provider looks for
a match with an authentication level of 2, or if necessary, level 1. It cannot search below the
lowest level of class in the authentication request or higher than the highest level of a class in
the authentication request.
Configuring SAML and Liberty Trusted Providers 211