OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Possible resolution to AI 282, AuthnContextDecl and AuthnContextDeclRef Confusion



Personally, I think that if the SP does not provide an required
AuthnContext in
the AuthnRequest, they are saying "I'll take anything that the IdP is
willing to
give me".   

Of course, in some COTs there may be out-of-band agreements that list
the
possible AuthnContexts that will be used by an IdP and thus there can be
these out-of-band negotiations.  I'm just saying that the lack of a
context
in a request doesn't necessarily mean that there was one.

For example, many blog sites, when authenticating a user trying to leave
a 
comment, would likely not specify an AuthnContext and take whatever
they got from an IdP.

Conor

> -----Original Message-----
> From: Eric Tiffany [mailto:eric@projectliberty.org]
> Sent: Tuesday, July 31, 2007 11:37 AM
> To: 'SSTC (E-mail)'
> Subject: [security-services] Possible resolution to AI 282,
> AuthnContextDecl and AuthnContextDeclRef Confusion
> 
> After revisiting this issue, I don't think that any changes to the
text in
> SAML Core (or other specs) is warranted.
> 
> I think there is a need, somewhere, to offer some guidance regarding
> interoperability issues, particularly in the case where the
AuthnRequest
> does not contain a RequestedAuthnContext.  However, I am somewhat at a
> loss
> to identify the appropriate location.  If the proper location were to
be
> found, the text to be inserted there would be something like:
> 
> "Note that interoperability may depend on out-of-band negotiation
between
> identity providers and service providers regarding acceptable
> Authentication
> Context declarations or references.  This may be especially true in
cases
> where the <saml:AuthnRequest> issued by a service provider does not
> contain
> a <saml:RequestedAuthnContext> element."
> 
> ET
> --
> ____________________________________________________
> Eric  Tiffany             |  eric@projectliberty.org
> Interop Tech  Lead        |  +1 413-458-3743
> Liberty Alliance          |  +1 413-627-1778 mobile


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]