RE: [saml-dev] when in doubt, read the spec...

["Scott Cantor" <cantor.2@osu.edu>]

> all due respect, but isn't "the bypass of an authentication step" 
> the whole purpose of SSO by definition? surely, that's what the 
> "single" refers to in "SSO". no?

No, it refers to the lack of user-visible intervention to get authenticated.
You "sign-on" visibly once, but each time you interact with an IdP or an SP,
I consider you to be authenticating. At the IdP, it might be with a cookie
(a bearer token), while at the SP, it's via a SAML assertion (also a bearer
token).

Authentication is fundamentally the translation of one credential into
another. AFAIC, anything that meets that criteria is an authn act.

> i hate to be pedantic, but does the saml spec refer to an 
> assertion as a credential?

Whether it does or not, if a relying party accepts one as a means of
authenticating a user, it is one to that party.

> the spec. if thinking of an assertion as an authentication makes 
> it easier for folks to understand saml, then far be it for me to 
> try to correct them.

I think the world is complicated enough without trying to carve out things
that are clearly authentication acts and come up with a new name for them.

If you look at Kerberos, I can't believe that somebody wouldn't consider the
presentation of a service ticket with a (wait for it...) "authenticator" to
be  authentication. And using SAML is no different. In both cases, you start
with something else (eg. a password) but you don't use that credential later
to authenticate to a service, you use the thing you got in exchange.

Each point of contact has its own authn protocol to be concerned about.

-- Scott