|
A service provider can ask an
authority one of these questions:
- Have you
authenticated this ____ subject?
I tend to prefer
to more simply say "hey, who is this guy?" (yean not the most politically
correct way to say it).
Although more accurately it is "Hey, can you tell me who is
this person and, if so, how you authenticated them and, btw,
I would prefer that you make sure that they have been authenticated this
way and, btw, I (the SP) would/wouldn't prefer that you interact with
the user in order to possibly get an answer to this question" (yeah, a bit
more complex, hence I like the "who is this guy").
Of course there's
also:
-
Hey, can you
reauthenticate this guy right now
-
Hey can you
authenticate this guy in this (presumably) "stronger" way (e.g. the user was
authenticated with a username/password and the SP asks for the user to be
authenticated with a smartcard or, perhaps, even simply "something
stronger than a username/password"
An authority can make
these statements (assertions):
- This ____ subject
was authenticated on this ____ datetime, using this ____
mechanism.
"mechanism" can
be more than just "how you authenticated" but also include some of the policy
descriptions behind the mechanism (such as required password length, password
"entropy", etc.).
Also, while SAML
does still have remnamts of authorization decisions, I think the preference
moving foward is to use XACML statements within a SAML
assertion.
Conor
|