Skip to main content

SAML Authentication Methods Overview

  • Updated

***This feature is only available with Authenticator versions 2.108.0 or higher.***

 

The SAML Authentication Methods feature enriches each SAML response in the Secure Work admin console with concise information about how a user authenticated.

This metadata gives identity providers and relying parties visibility into authentication strength and context, enabling better policy decisions, auditing, and adaptive security.


Benefits

  • The feature aligns with Beyond Identity’s model of flows, factors, and methods.
  • It enables downstream systems to reason about authentication strength.
  • It lays groundwork for risk-based and adaptive authentication policies in SAML integrations.
     

What It Does

When a user authenticates through a SAML transaction, the system collects a set of indicators describing the authentication methods used during that session.

These indicators are inserted into the SAML response under a new authentication_methods field.

This data includes information such as:

  • Whether authentication occurred through biometrics, a PIN, a hardware or software key, or a roaming authenticator.
     
  • Whether the authentication was local or delegated to a trusted device.
     
  • Whether additional evidence, like device posture, geolocation, or risk signals was part of the policy evaluation.
     

This information is non-sensitive and privacy-preserving, but gives the relying party meaningful context on how strong or reliable the authentication was.

 

Why It Matters

Previously, SAML transactions didn’t expose authentication detail beyond basic success or failure.
With this feature, admins and identity systems can now:

  • Enforce adaptive policies: for example, reject logins that used a simple PIN when biometrics are available.
     
  • Strengthen compliance visibility: by capturing which factors (biometric, possession, knowledge) were used at authentication time.
     
  • Integrate with risk engines: to assign different trust levels based on authentication strength or device context.
     
  • Support auditing: with richer event data for forensic and compliance reporting.

     

Relationship to Authentication Concepts

Authentication Flows

Describe the interaction path used to complete authentication, for example:

  • Platform authentication: user verifies directly on their device.
  • Roaming authentication: authentication occurs on a trusted secondary device (for example, mobile phone).
  • Layered authentication: the flow falls back to roaming when local authentication fails.
     

Authentication Factors

Represent the type of evidence used to prove identity:

  • Knowledge: something you know (e.g., PIN, password).
  • Possession: something you have (e.g., YubiKey, registered device).
  • Inherence: something you are (e.g., fingerprint, face ID).
  • Optional contextual factors: location and behavioral evidence.
     

Authentication Methods

Identify the specific mechanism that provides one or more factors.
Examples include:

Method Description Factor
bi-bio Biometric verification (fingerprint, facial recognition) Inherence
pin PIN or pattern verification Knowledge
hwk Hardware-secured key Possession
swk Software-secured key Possession
bi-roam Roaming authenticator used (trusted device) Possession
bi-os User's device OS verification was performed Possession
mfa Multiple-factor authentication (combined) Multiple

These correspond to standard method codes defined in RFC 8176, extended with Beyond Identity’s platform-specific values.


How It Works

  1. The user authenticates using their normal Beyond Identity flow (platform, roaming, or layered).
  2. The Platform Authenticator collects authentication metadata such as method, factor, and context.
  3. That metadata is embedded into the SAML response as a structured element.
  4. The identity provider or relying party can parse these attributes to determine authentication strength.
     

Where It Appears

  • Policy Event logs now contain an authentication_methods field listing these values.
  • Authentication Event logs also show the methods detected.
  • Example values may appear in the Activity logs section as: "authentication_methods": ["hwk", "bio", "bi-roam"]
SMAL Auth Methods.png


Use Cases

  • Policy enforcement: Require biometrics when available; fall back to roaming otherwise.
  • Audit logging: Track which authentication factors are in use across the organization.
  • Security analytics: Integrate event logs with SIEM or analytics tools for risk-based insights.

     

Related articles

Comments

0 comments

Article is closed for comments.