...
The authentication statement is identical to the original SSO assertion, because it reflects the user's authentication to the IdP, and not any subsequent proxyingdelegation.
This final assertion in the chain includes a special condition that identifies the delegate, the Portal, as a transited service between the original client (the browser) and the WSP. If the Portlet is made distinct from the Portal, then the Portlet's entityID would be appended to that condition.
...