OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Issue of multiple authn statements during SSO

> > as well as how to interpret a case in which you would get multiple
> > assertions, each with bearer confirmation, and an authentication
> > statement.
> [Rob] Not sure why you'd want to do it with multiple assertions.  As I
> said - I want to do it with a single assertion/multiple statements.

Well, I was asking how we could better constrain or define what might show
up so that the profile is less ambiguous. It sounds like your use case could
be met by saying that there should only be one bearer assertion with an
authentication statement in it, though there might be multiple statements in
it. This doesn't preclude a separate attribute assertion, of course, or
additional non-bearer assertions for other purposes.

> [Rob] It may be reasonable to say an assertion can have multiple Authn
> statements, as long as the statements all have different methods. 

Method (AuthnContext) is really not a problem, particularly <snide>given how
little anybody does with it anyway</snide>.

I'm more concerned about attributes that have processing rules attached,
such as the Reauthn timestamp. At a mininum, we'd need to make a rule about
using the shortest of the possible values, I guess, or preclude it from
appearing twice.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]