Re: [saml-dev] AuthnContext for WebSSO

[prabhat chaturvedi <chaturvedi.prabhat@gmail.com>]

I am still expecting an answer, that can an IdP say unspecified AuthnContext if actually it is doing PasswordProtected? 

- One thing is sure from spec is, that IdP should atleast send us NoAuthContext if it doesn't support one which we request.

See one of my response embedded for forceAuthn.

On Thu, Jul 16, 2015 at 2:21 PM, Peter Schober <peter.schober@univie.ac.at> wrote:

* prabhat chaturvedi <chaturvedi.prabhat@gmail.com> [2015-07-16 09:11]:
> When we request, we request the "exact" comparison.

My point exactly.

> So we would not get the least secure, but what we request for.

Which is the same thing, of course (modulo rather unusual deployments
with IP-address based authn, or some such).

> We request that, because we want the user be challenged by
> username-password for sure.

Sounds like what you want is forcedAuthentication, then.

Its not forceAuthentication. Force Authentication is when you ask to authenticate a user in your SAMLRequest, even if he holds a valid session.

This is a AuthnContext which we expect from IdP which supports websso. Actually the IdP conducts username/password Authentication but they are sending unspecified AuthnContext for that.

> Jeff, if keeping AuthnContext unspecified calls for security, why
> are there other means of AuthnContext specified in the specs. Is
> that security by obscurity?

I couldn't follow that argument either. ("I want you to accept my
assertion but I won't tell you the authn method" for /whose/ security,
exactly?) 

-peter

---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

--

Regards

Prabhat