[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AuthnContext comparison clarifications
> Scott, in terms of ordering, I was thinking of the AuthnQuery > use case and not Web SSO. I had forgotten we added the requested context element there until you asked about it. > So if the query responder is returning *all* authn contexts > it has for the user, I'm still thinking the actual order of > the requested authn context classes is irrelevant. I see how > for a Web SSO case, it would be relevant because it could > influence how the IDP may authenticate a user. You're probably correct. That means we need new text anyway, because the ordering stuff is all sitting in the element definition, not the AuthnRequest definition. > I would agree that if only one is being returned (which > satisfies the filter), then ordering would definitely matter. > And perhaps that is the exact reason for saying the requested > authn contexts need to be processed in order? Yes, exactly. Since it doesn't really hurt anything in the query case, maybe we could just say something like: "If ordering is relevant to the evaluation of the request, then the elements are processed in the order they appear in the message. For example, ordering is significant when using this element in an <AuthnRequest>, but not in an <AuthnQuery>." Or alternatively just override the ordering aspect in the AuthnQuery section. I'm just trying to avoid moving all the text. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]