[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Issue of multiple authn statements during SSO
> -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Tuesday, May 18, 2004 11:07 AM > To: SAML > Subject: [security-services] Issue of multiple authn statements during SSO > > A remaining substantive issue in the SSO profile relates to the request by > several TC members to permit multiple authentication statements in the > response. > > I'm unclear on what the use case for this is, [Rob] Use case: 1. A user hits a page at a source site that is protected by a WAM product. The user logs into the WAM product at time T1 using method M1 (e.g. username/password). 2. The user hits another page at the source site that requires a stronger authentication method. The user authenticates using method M2 at time T2. The WAM product keeps track of both logon methods/times. 3. The user Web SSO navigates to a destination site. In order to properly reflect the fact that the user has multiple graded authentications at the source site, I need two authentication statements; one saying they used method M1 at time T1 and one describing method M2 at time T2. > but if we're to do it, I > believe we need to address what this is supposed to mean to the relying > party, I want to process this as ONE assertion in the response, not two. [Rob] The WAM product at my relying party needs to use the authn methods in the assertion to (possibly) reflect the same authn methods in the login at that site. Otherwise I can't do graded authentication access checks at the destination site. > as well as how to interpret a case in which you would get multiple > assertions, each with bearer confirmation, and an authentication > statement. [Rob] Not sure why you'd want to do it with multiple assertions. As I said - I want to do it with a single assertion/multiple statements. > > This was always something I found awkward in the old profiles, and I was > in > favor of fixing it by restricting the profile to one statement because I > don't understand the use case for two. So I continue to support that > position, but would ask those with the use case to explain it, and supply > text for the profile around it so that it's clear what the SP is to do to > resolve any conflicts in the statements (e.e. different > ReauthenticateOnOrAfter values). [Rob] It may be reasonable to say an assertion can have multiple Authn statements, as long as the statements all have different methods. > > -- Scott > > > To unsubscribe from this mailing list (and be removed from the roster of > the OASIS TC), go to http://www.oasis- > open.org/apps/org/workgroup/security-services/members/leave_workgroup.ph p.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]