OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Mixed one/two-factor authentication environment

While I agree that a logout is not required to proceed to a higher level 
of authentication, 2FA is a system wherein two different factors are 
used in conjunction to authenticate. I suggest that to proceed from a 
single factor authentication transaction to one requiring 2F, the second 
authentication request should require two different factors are used in 
conjunction to activate the higher authentication.

A mixed one/two-factor authentication environment is easily implemented 
with separate paths and directory branches.

robert.philpott@rsa.com wrote:
> Not necessarily. Unless there are some other unstated requirements, 
> IMO, implementations should be able to deal with the step-up 
> authentication without the logout step.
> It starts to get into authentication grading of course which SAML 
> tends to consider a “local” policy matter.. If you accept that a 2fa 
> is stronger than a u/p authentication at both an SP and an IdP, then 
> an implementation should normally accept the 2fa for getting at any 
> resource but the u/p authn can only get at the lower-protected resources.
> If the user hits a 2fa-protected resource on the SP first, the initial 
> AuthenticationRequest can ask for the hardware token and the relying 
> party should let them get to all resources.
> If the user hits a u/p resource on the SP first, the initial AR would 
> be for password and when the user subsequently hits a 2fa-protected 
> resource, it should just “add” to the users authn state by requesting 
> the IdP to authenticate them with the hardware token. There should be 
> no need to log the user out.
> On the IdP side, if the user is logged in first with u/p but it then 
> receives an AR asking for h/w token, it should just do the 2fa. 
> Shouldn’t be a need to log the user out.
> Well, at least that is how I would implement it.
> */Rob Philpott/*/ /
> *RSA, the Security Division of EMC**
> *Senior Technologist | e-Mail: robert.philpott@rsa.com 
> <rphilpott@rsa.com> | Office: (781) 515-7115 | Mobile: (617) 510-0893
> *From:* Tanja Sialevri [mailto:tanja.sialevri@gmail.com]
> *Sent:* Friday, December 11, 2009 5:42 AM
> *To:* saml-dev@lists.oasis-open.org
> *Subject:* [saml-dev] Mixed one/two-factor authentication environment
> I'm working on a federation scenario where some services require only 
> password authentication and some two-factor authentication (hard token).
> I was thinking of starting of with an Authentication Context that 
> requires only password and when the user requires a service that needs 
> two-factor auth, I'd log him out and request that he logins again in 
> an Authentication Context that requires the use of his hard token.
> Is this the way to go in a mixed one/two-factor authentication 
> enviroment?


Daniel E. Turissini,

President/ CEO, Operational Research Consultants, Inc.

11250 Waples Mill Road, South Tower, Suite 210, Fairfax, Virginia 22030


:: View the ORC/ FiXs Presentation [http://tinyurl.com/p6rs52] from 
AFCEA LandWarNet 2009 ::

The information transmitted in this e-mail is for the exclusive use of 
the person or entity to which it is addressed and may contain legally 
privileged or confidential information. If you are not the intended 
recipient of this e-mail, you are prohibited from reading, printing, 
duplicating, disseminating or otherwise using or acting in reliance upon 
this information. If you have received this information in error, please 
notify the sender at Operational Research Consultants, Inc. immediately, 
delete this information from your computer and destroy all copies of the 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]