Is an authentication assertion mandatory in SAML?

[Tim Moses <tim.moses@entrust.com>]

Title: Is an authentication assertion mandatory in SAML?

Marlena - Let me start by apologizing, I know you guys went through this on Monday, while I relaxed in my dentist's arm chair.  So, there is a good chance that I have misunderstood the issue.  But, on the off chance, that I have not, how about this ... ?

1. The Shibboleth business model requires that an attribute assertion be communicated by the authentication/attribute authority to the content site with no accompanying authentication assertion.

2. The received wisdom is that the SAML architecture dictates that there be an authentication assertion associated with every attribute assertion ("no attribute assertion without authentication assertion").

3. The received wisdom is that SAML authentication assertions are a record of an authentication event.

This leads Marlena to conclude that SAML does not satisfy the Shibboleth requirement.  It also leads Simon to argue that an authentication assertion must be prepared immediately following authentication, and with no knowledge of the attributes required by the content site.

However, if we challenge points 2 and 3 above, can we not accommodate the Shibboleth requirement for attribute assertions without authentication assertions?

This only works with the artifact/pull model.  But, if the authentication/attribute authority issues an artifact that identifies the authenticated subject, and waits until it receives the assertion query before preparing the assertion, then the assertion can be an attribute assertion, not an authentication assertion.  It would say nothing about the authentication event, contain an "artifact" subject confirmation type code, and Marlena's concern would be addressed.

I've probably totally misunderstood the issue, right?

All the best.  Tim.

------------------------------------------------------------------------
---------------
Tim Moses
Tel: 613.270.3183