OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] ForceAuthn

On 9/13/11 9:14 AM, "Mihaylov, Dimitar" <dimitar.mihaylov@sap.com> wrote:
>If I read the document correctly there are no other requirements
>regarding the re-authentication process at the IdP. Does this mean that
>the IdP could use also some Œpassive¹
>authentication method like client cert or integrated windows
>authentication (NTLM/SPNEGO) to (re-)authenticate the user?

You can't guarantee those methods are passive (particularly the former),
so IsPassive is precluded.

OTOH, ForceAuthn does not guarantee the user is actually prompted. The
"stronger" the authentication method, the weaker the actual proof of user
presence tends to be when the option is used.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]