[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: ForceAuthn (was Use Cases)
On Wednesday, Nov 26, 2003, at 11:28 US/Eastern, Scott Cantor wrote: >> without requiring any global protocol to manage it. With the ability >> to >> force re-authentication at a certain time after the previous >> authentication, through the protocol, they get even more control over >> this process. I've cc'd Scott who's working on the SSO >> requirements to make sure he sees this. > > I guess the question I have is one I've seen raised before, namely what > exactly does ForceAuthn mean? How can the IdP have that kind of > control when > there are authentication technologies that make it impossible to know > for > sure whether the user will even be prompted. Well, your point is certainly well taken, but I guess I wasn't necessarily equating ForceAuthn with "InteractWithUser". To me, all this says is for the IdP to at least check the authentication status of the user, following *their* policy. This may include a user interaction, but as you point out below, it may not. So, perhaps the term 'ForceAuthn' is somewhat misleading? > Client certs are tops on that list, since the cert store usually > caches the > PIN and repeatedly authenticates with the key for a length of time, > often > controlled by the browser, not the IdP. But this may be the case regardless of the setting of ForceAuthn, no? > Even basic-auth behaves this way, though the IdP can work around that > one > with a challenge header. > > So even if you grant that the SP can somehow "bypass" what we would > normally > consider to be SSO processing, that's fairly distinct from actually > reauthenticating the user in a real sense. Or is the implication that > the > IdP MUST insure that this happens and cannot rely on technologies that > don't > provide that assurance if the Force flag is present? I think you are saying that ForceAuthn=true implies that the IdP actually interact with the user, and that such an interaction is the only way of re-authenticating the user in a real sense. And, I don't know that we could ever get that kind of effect within the protocol itself, for the reasons you have noted. But, I also think that in an environment where a "real" authentication is important to the SPs, that ForceAuthn may very well imply that the IdP will not depend on cached cert PINs or other methods where a user interaction is not required. - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]