OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - SAML shared credential (draft-saml-shared-credential-discussion-01.doc) uploaded

> The IDP would recognize that it would be unable to satisfy the requested 
> AC class of #2 without authenticating the user in a different way.
> 
> So, yes I think this could work.
> 
> But, I have trouble understanding how it would fit with existing AC
> classes.

It may not. But at a minimum, I think we'd have to deal with this somehow
even if the solution chosen was similar to the original proposal because
"SwitchUser" doesn't tell me enough to know what it is you actually want the
IdP to do.

So I think SwitchUser is unnecessary and insufficient, essentially, but I
don't have a specific AuthnContext proposal on how it could be addressed.

Conceptually, it would seem that a new (or perhaps extension of an existing)
bucket in the AC schema would be used to capture whatever it is that we
think is actually important to express here.

The problem is that that probably applies to many of the existing context
classes (it's sort of orthogonal to them), which results in some
combinatorial problems.

> But, if the above URI instead looked like 
> 'urn:SAML:ac:classes:shared:mobile' (or 
> 'urn:SAML:ac:classes:mobile:shared"), giving the SP this info, the 
> implication appears that we need to extend all existing classes.

Right. I agree, it's not ideal. What I'm not clear on is how else you could
do it.

> If the AuthnStatement allowed multiple AuthnContext elements (like the 
> AuthnRequest does for RequestedAuthnContext) this wouldn't be an issue I 
> think.

Well, it can be handled on the assertion side more cleanly than on the
request side. In an assertion, you can actually express both a class and a
specific declaration. But on the request side, it's one or the other.

Bottom line, I agree, but I don't see any other piece of the spec that could
work. Attributes don't give you any kind of meaningful hook into the SSO
request flow at the moment, and the only way to influence how the IdP
interacts with the user other than very coarsely is AuthnContext.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]