OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AuthnContext for WebSSO


Recently we being an SP, are integrating with an IdP which has got some of the stuff doubtful from spec perspective. 

Despite going through the spec and citing the sections, they are interpreting it differently.

Kindly verify my understanding:

1) Can IdP send unspecified(urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified) authnContext, if the Authentication for WebSSO use-case happens using username/password over HTTPS.
As per spec, it says it should send PasswordProtected if its password based authentication over HTTPS. We at SP are looking for PasswordProtected AuthnContext and we fail the assertion.

2)We being an SP also send Required AuthnContext (which is PasswordProtected) in SAMLRequest, in this case, if IdP does not support this AuthnContext,
 it should reply with NoAuthContext. But IdP still sends the unspecified AuthnContext.

3)Can unspecified AuthnContext be used for any reason? As per spec it should be used for unspecified means of Authentication.
This IdP is using unspecified for all the case.

They are asking us to not send RequestedAuthnContext which is optional. We being a SP had already integrated with well known IdPs and do not want to do this change 
for only this IdP.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]