saml-dev message

Subject: Re: [saml-dev] AuthnContext for WebSSO

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Peter Major <peter.major@forgerock.com>, "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Date: Fri, 17 Jul 2015 19:43:17 +0000

On 7/17/15, 3:39 PM, "Peter Major" <peter.major@forgerock.com> wrote:
>
>OpenAM by default always sends the RequestedAuthnContext, yes

It really should not. That's a bad default.

>Personally I find AuthnContexts a bit awkward though... You can request
>minimum PPT, and then that will allow the IdP to choose something 
>better, but at the end of the day it will be up to the SP to decide 
>whether the received AuthnContext is actually acceptable (which then 
>means that SP needs to have the same kind of "strength ordering" as the 
>IdP)..

Yes, which is why it's not a default sort of behavior, it's something used only when the appropriate circumstances exist for it to work.

-- Scott

References:
- AuthnContext for WebSSO
  - From: prabhat chaturvedi <chaturvedi.prabhat@gmail.com>
- Re: [saml-dev] AuthnContext for WebSSO
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [saml-dev] AuthnContext for WebSSO
  - From: prabhat chaturvedi <chaturvedi.prabhat@gmail.com>
- Re: [saml-dev] AuthnContext for WebSSO
  - From: Peter Major <peter.major@forgerock.com>