OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication

> We are in agreement that AuthenticationMethod should be used 
> to represent a Kerberos based authentication using the 
> following syntax :
>                 AuthenticationMethod="urn:ietf:rfc:Kerberos" 
>                 and NOT : 
>                 AuthenticationMethod="urn:ietf:rfc:1510" 

I think that's fine, though the 1510 version is already in SAML 1.1, so I
guess we should consider whether it's worth changing.

> And, we have agreed that the pre-auth type is more 
> appropriately represented in a context statement in the 
> assertion and NOT as part of the AuthenticationMethod statement ?

Yes, I think the sense is that we're going to be able to dump Method and
move it into a set of context class URIs, that would keep the URIs the same,
if we want. Or if we change them, then it's moot, I guess. And context
classes are not the best way to capture preauth, given the potential
variability, so using actual AuthnContext statements and making sure the
SAML schema for that can capture this information is the real work item.

> I think this summarises the discussion so far ? I don't think 

I think so.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]