Re: [security-services] Re: ForceAuthn (was Use Cases)

[John Kemp <onezero@bcn.net>]

On Saturday, Nov 29, 2003, at 05:31 US/Eastern, Conor P. Cahill wrote:

>
>
> Scott Cantor wrote on 11/29/2003, 12:36 AM:
>
>>> Well, your point is certainly well taken, but I guess I wasn't
>>> necessarily equating ForceAuthn with "InteractWithUser". To me, all
>>> this says is for the IdP to at least check the authentication status 
>>> of
>>> the user, following *their* policy. This may include a user
>>> interaction, but as you point out below, it may not. So, perhaps the
>>> term 'ForceAuthn' is somewhat misleading?
>>
>> "checking authn status" sounds a little light for something that I
>> thought was meant to imply a bypassing of SSO.
>
> I agree.  I like to think of ForceAuthn as the SP asking the IdP to do
> whateve it takes so that the IdP can update the AuthenticationInstant 
> in
> the assertion at this time.

And that is my understanding too. I was merely pointing out that Scott 
is actually right - it may not involve a user interaction, and may 
simply involve checking a cached cert. without any active, direct user 
re-authentication at all. So, the term "ForceAuthn" could be misleading.

> For a UserName/Password authentication, this means it is a challenge to
> the user.  For some other authentication methods (such as an X509
> certificate, the IdP can challenge the client, but the IdP doesn't have
> control what the client does with the user, so there may be a soe cases
> where there is no challenge to the user).

Right - we're all in violent agreement.

I guess the ultimate question though is whether we think that 
ForceAuthn semantics that allow a situation where the *user* is not 
challenged are sufficient for the SP, and if not, is this a problem?

- JohnK