OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: ForceAuthn (was Use Cases)

On Wednesday, Nov 26, 2003, at 11:28 US/Eastern, Scott Cantor wrote:

>> without requiring any global protocol to manage it. With the ability 
>> to
>> force re-authentication at a certain time after the previous
>> authentication, through the protocol, they get even more control over
>> this process. I've cc'd Scott who's working on the SSO
>> requirements to make sure he sees this.
>
> I guess the question I have is one I've seen raised before, namely what
> exactly does ForceAuthn mean? How can the IdP have that kind of 
> control when
> there are authentication technologies that make it impossible to know 
> for
> sure whether the user will even be prompted.

Well, your point is certainly well taken, but I guess I wasn't 
necessarily equating ForceAuthn with "InteractWithUser". To me, all 
this says is for the IdP to at least check the authentication status of 
the user, following *their* policy. This may include a user 
interaction, but as you point out below, it may not. So, perhaps the 
term 'ForceAuthn' is somewhat misleading?

> Client certs are tops on that list, since the cert store usually 
> caches the
> PIN and repeatedly authenticates with the key for a length of time, 
> often
> controlled by the browser, not the IdP.

But this may be the case regardless of the setting of ForceAuthn, no?

> Even basic-auth behaves this way, though the IdP can work around that 
> one
> with a challenge header.
>
> So even if you grant that the SP can somehow "bypass" what we would 
> normally
> consider to be SSO processing, that's fairly distinct from actually
> reauthenticating the user in a real sense. Or is the implication that 
> the
> IdP MUST insure that this happens and cannot rely on technologies that 
> don't
> provide that assurance if the Force flag is present?

I think you are saying that ForceAuthn=true implies that the IdP 
actually interact with the user, and that such an interaction is the 
only way of re-authenticating the user in a real sense. And, I don't 
know that we could ever get that kind of effect within the protocol 
itself, for the reasons you have noted. But, I also think that in an 
environment where a "real" authentication is important to the SPs, that 
ForceAuthn may very well imply that the IdP will not depend on cached 
cert PINs or other methods where a user interaction is not required.

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]