OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Issue of multiple authn statements during SSO

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Tuesday, May 18, 2004 11:07 AM
> To: SAML
> Subject: [security-services] Issue of multiple authn statements during
SSO
> 
> A remaining substantive issue in the SSO profile relates to the
request by
> several TC members to permit multiple authentication statements in the
> response.
> 
> I'm unclear on what the use case for this is, 
[Rob] Use case:
1. A user hits a page at a source site that is protected by a WAM
product.  The user logs into the WAM product at time T1 using method M1
(e.g. username/password).

2. The user hits another page at the source site that requires a
stronger authentication method.  The user authenticates using method M2
at time T2. The WAM product keeps track of both logon methods/times.

3. The user Web SSO navigates to a destination site.  In order to
properly reflect the fact that the user has multiple graded
authentications at the source site, I need two authentication
statements; one saying they used method M1 at time T1 and one describing
method M2 at time T2.

> but if we're to do it, I
> believe we need to address what this is supposed to mean to the
relying
> party, I want to process this as ONE assertion in the response, not
two.

[Rob] The WAM product at my relying party needs to use the authn methods
in the assertion to (possibly) reflect the same authn methods in the
login at that site.  Otherwise I can't do graded authentication access
checks at the destination site.

> as well as how to interpret a case in which you would get multiple
> assertions, each with bearer confirmation, and an authentication
> statement.

[Rob] Not sure why you'd want to do it with multiple assertions.  As I
said - I want to do it with a single assertion/multiple statements.
 
> 
> This was always something I found awkward in the old profiles, and I
was
> in
> favor of fixing it by restricting the profile to one statement because
I
> don't understand the use case for two. So I continue to support that
> position, but would ask those with the use case to explain it, and
supply
> text for the profile around it so that it's clear what the SP is to do
to
> resolve any conflicts in the statements (e.e. different
> ReauthenticateOnOrAfter values).

[Rob] It may be reasonable to say an assertion can have multiple Authn
statements, as long as the statements all have different methods. 
> 
> -- Scott
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster
of
> the OASIS TC), go to http://www.oasis-
>
open.org/apps/org/workgroup/security-services/members/leave_workgroup.ph
p.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]