[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Multiple AuthnStatements in Assertion
A primary use case is in step-up authentication. In environments where fine-grained authorization is based on authentication methods that get enforced thru step-up authentication, the multiple authn statements can be used. For example, I may use a password-protected-transport (PPT) authentication at my enterprise IDP that lets me access my company 401K account at an outsourced provider, but a policy is applied that requires a step-up authentication (e.g. to hardware token) for high-value transactions to be permitted. My first assertion to authenticate would just have a PPT authncontext. When I attempt a restricted transaction, the SP kicks me back to the IDP for the step-up and the next assertion comes back with both the PPT statement and the hardware token method. Rob Philpott | EMC Distinguished Engineer | RSA, the Security Division of EMC eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893 > -----Original Message----- > From: Will Hartung [mailto:willh@mirthcorp.com] > Sent: Tuesday, February 11, 2014 3:40 PM > To: Cantor, Scott > Cc: Vasu Y; saml-dev@lists.oasis-open.org > Subject: Re: [saml-dev] Multiple AuthnStatements in Assertion > > What are some use cases where multiple AuthnStatements are sent, and > what are some examples of how Service Providers handle them? > > On Tue, Feb 11, 2014 at 2:30 PM, Cantor, Scott <cantor.2@osu.edu> wrote: > > On 2/11/14, 1:10 AM, "Vasu Y" <vyal2k@yahoo.com> wrote: > > > >>Hi, > >> I am designing a service provider and i would like to know the likely > >>scenarios in which an Assertion (authentication response from IDP) would > >>return/contain multiple AuthnStatements? > > > > SAML is a generic standard; what it permits is not specific to any one > > profile or use case. Your use case may have no need for the concept. > > > > That said, if you're supporting the Browser SSO profile, then there is no > > limit to the number of statements allowed, which means you have no choice > > but to handle that. I am not aware of any good explanation for what it > > would be for or what it would mean. I expect many implementations are > > buggy and ignore more than one. > > > > -- Scott > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > > > > -- > CONFIDENTIALITY NOTICE: The information contained in this electronic > transmission may be confidential. If you are not an intended recipient, be > aware that any disclosure, copying, distribution or use of the information > contained in this transmission is prohibited and may be unlawful. If you > have received this transmission in error, please notify us by email reply > and then erase it from your computer system. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]