OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Authentication on IDP.




Giuseppe Sarno wrote on 11/4/2005, 8:44 AM:

Now SAML seems not defining levels but rather types or classes of authentication mech.
SAML, though,  allows cases where an SP can use the word or "better","stronger", etc. but if I have understood right
the fact that a class is better or stronger of another is not part of the spec and it's implementation specific at the IDP.
 
Is this right ?
That is correct, although common sense will dictate fairly common decisions along those lines  (for example, most people would say PasswordProtectedTransport is "stronger" than Password) for some cases, it is clearly up to interpretation in many cases.   We expect that the agreements used to establish a cirle of trust that supports multiple authentication context will describe the relative comparisons of those contexts.

I personally believe that most implementations will either a) use specific authentication contexts rather than using the comparison operators (very common in enterprise & B2B scenarios) or b) (especially in the ecommerce world) will use a comparison on a single common class (such as "stronger" than PasswordProtectedTransport -- where the SPs want the user to have done something stronger than just a password, but they're OK with whatever the IdP has with the user that is stronger).

Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]