OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] AuthnContext for WebSSO

Hi Peter,

When we request, we request the "exact" comparison. As per the spec, IdP should do the comaparison based on what is requested from SP - “exact”, “minimum”, “maximum” or “better”.
So we would not get the least secure, but what we request for.

We request that, because we want the user be challenged by username-password for sure. If not specified, IdP can follow any other method.

Jeff, if keeping AuthnContext unspecified calls for security, why are there other means of AuthnContext specified in the specs. Is that security by obscurity? 

On Thu, Jul 16, 2015 at 12:09 PM, Peter Schober <peter.schober@univie.ac.at> wrote:
* prabhat chaturvedi <chaturvedi.prabhat@gmail.com> [2015-07-16 08:05]:
> They are asking us to not send RequestedAuthnContext which is
> optional. We being a SP had already integrated with well known IdPs
> and do not want to do this change for only this IdP.

Is there anything worse/less than password-based authentication?
Explicitly asking for that makes sure you always get the least
secure method possible, ruling out more secure methods.
So I'd start by asking why specifically you're asking for that method.

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]