Definition of authentication assertion

[Tim Moses <tim.moses@entrust.com>]

Title: Definition of authentication assertion

Colleagues - Apropos our discussion on the Bindings telecon today concerning the purpose of the authentication assertion.  Simon correctly cited the definition from Section 1 of Core 12, stating that it records an authentication event.  However, the authentication assertion schema from Core 12 includes information that strongly suggests a use beyond simply recording an authentication event.  Indeed, unless we are designing a multi-vendor audit-log standard, a solution for nothing more than recording an authentication event misses the mark.

The elements "AuthenticationCode", "AuthenticationInstant" and "AuthenticationLocale" record the authentication event.  But, the element "Authenticator" carries information for zero or more methods by which the relying party can authenticate the subject.

The relying party can use the same method, or one different from that used by the issuer to authenticate the subject.

So, it would be consistent for an issuer to authenticate a subject, but not to prepare an authentication assertion until asked by the relying party for an assertion containing the information necessary for a particular authentication method suited to the relying party's needs.

In the Web browser profile, the authentication query submitted by the relying party to the issuer can contain the assertion ID from the artifact in its subject element, in order to identify the subject to the issuer, even though no authentication assertion actually exists at this point.

This message just clarifies my understanding of the definition of Authentication Assertion.  I will prepare a discussion of the Web browser topic, laying out candidate solutions for supplying the relying party with the authentication and attribute assertions that it needs. 

Best regards.  Tim.

------------------------------------------------------------------------
---------------
Tim Moses
Tel: 613.270.3183