RE: [saml-dev] Multiple AuthnStatements in Assertion

["Philpott, Robert" <robert.philpott@rsa.com>]

A primary use case is in step-up authentication.  In environments where
fine-grained authorization is based on authentication methods that get
enforced thru step-up authentication, the multiple authn statements can be
used.  For example, I may use a password-protected-transport (PPT)
authentication at my enterprise IDP that lets me access my company 401K
account at an outsourced provider, but a policy is applied that requires a
step-up authentication (e.g. to hardware token) for high-value transactions
to be permitted.  My first assertion to authenticate would just have a PPT
authncontext.  When I attempt a restricted transaction, the SP kicks me back
to the IDP for the step-up and the next assertion comes back with both the
PPT statement and the hardware token method.

Rob Philpott | EMC Distinguished Engineer | RSA, the Security Division of
EMC
eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893

> -----Original Message-----
> From: Will Hartung [mailto:willh@mirthcorp.com]
> Sent: Tuesday, February 11, 2014 3:40 PM
> To: Cantor, Scott
> Cc: Vasu Y; saml-dev@lists.oasis-open.org
> Subject: Re: [saml-dev] Multiple AuthnStatements in Assertion
> 
> What are some use cases where multiple AuthnStatements are sent, and
> what are some examples of how Service Providers handle them?
> 
> On Tue, Feb 11, 2014 at 2:30 PM, Cantor, Scott <cantor.2@osu.edu> wrote:
> > On 2/11/14, 1:10 AM, "Vasu Y" <vyal2k@yahoo.com> wrote:
> >
> >>Hi,
> >> I am designing a service provider and i would like to know the likely
> >>scenarios in which an Assertion (authentication response from IDP) would
> >>return/contain multiple AuthnStatements?
> >
> > SAML is a generic standard; what it permits is not specific to any one
> > profile or use case. Your use case may have no need for the concept.
> >
> > That said, if you're supporting the Browser SSO profile, then there is
no
> > limit to the number of statements allowed, which means you have no
choice
> > but to handle that. I am not aware of any good explanation for what it
> > would be for or what it would mean. I expect many implementations are
> > buggy and ignore more than one.
> >
> > -- Scott
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
> >
> 
> --
> CONFIDENTIALITY NOTICE: The information contained in this electronic
> transmission may be confidential. If you are not an intended recipient, be
> aware that any disclosure, copying, distribution or use of the information
> contained in this transmission is prohibited and may be unlawful. If you
> have received this transmission in error, please notify us by email reply
> and then erase it from your computer system.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature