Description
An IDP will be unable to assert to an SP a particular identity for a user if that user authenticates to the IDP
using a credential known to be shared with other users. If the credential by which a user authenticates
does not uniquely identify them (e.g. a phone at home, access to a workstation, PPPoE authentication
etc) then the IDP will be unable to assert anything beyond the fact that the user was one of the set of
individuals that shared that credential. An SP may deem such an assertion as insufficient for enabling
access to resources associated with a particular individual identity and so may request of the IDP an
assertion characterized by a credential unique to that individual.