[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: ForceAuthn (was Use Cases)
On Saturday, Nov 29, 2003, at 05:31 US/Eastern, Conor P. Cahill wrote: > > > Scott Cantor wrote on 11/29/2003, 12:36 AM: > >>> Well, your point is certainly well taken, but I guess I wasn't >>> necessarily equating ForceAuthn with "InteractWithUser". To me, all >>> this says is for the IdP to at least check the authentication status >>> of >>> the user, following *their* policy. This may include a user >>> interaction, but as you point out below, it may not. So, perhaps the >>> term 'ForceAuthn' is somewhat misleading? >> >> "checking authn status" sounds a little light for something that I >> thought was meant to imply a bypassing of SSO. > > I agree. I like to think of ForceAuthn as the SP asking the IdP to do > whateve it takes so that the IdP can update the AuthenticationInstant > in > the assertion at this time. And that is my understanding too. I was merely pointing out that Scott is actually right - it may not involve a user interaction, and may simply involve checking a cached cert. without any active, direct user re-authentication at all. So, the term "ForceAuthn" could be misleading. > For a UserName/Password authentication, this means it is a challenge to > the user. For some other authentication methods (such as an X509 > certificate, the IdP can challenge the client, but the IdP doesn't have > control what the client does with the user, so there may be a soe cases > where there is no challenge to the user). Right - we're all in violent agreement. I guess the ultimate question though is whether we think that ForceAuthn semantics that allow a situation where the *user* is not challenged are sufficient for the SP, and if not, is this a problem? - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]