[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Groups - SAML shared credential (draft-saml-shared-credential-discussion-01.doc)uploaded
Scott, thanks, its good to get confirmation that I wasn't missing something trivial about AC I'll take the action to dig to deeper into authn context schema and classes to better understand what might be possible . I'd expect there are other similarly orthogonal aspects of authentication for which we'll come up against this in the future. paul Scott Cantor wrote: >> The IDP would recognize that it would be unable to satisfy the requested >> AC class of #2 without authenticating the user in a different way. >> >> So, yes I think this could work. >> >> But, I have trouble understanding how it would fit with existing AC >> classes. >> > > It may not. But at a minimum, I think we'd have to deal with this somehow > even if the solution chosen was similar to the original proposal because > "SwitchUser" doesn't tell me enough to know what it is you actually want the > IdP to do. > > So I think SwitchUser is unnecessary and insufficient, essentially, but I > don't have a specific AuthnContext proposal on how it could be addressed. > > Conceptually, it would seem that a new (or perhaps extension of an existing) > bucket in the AC schema would be used to capture whatever it is that we > think is actually important to express here. > > The problem is that that probably applies to many of the existing context > classes (it's sort of orthogonal to them), which results in some > combinatorial problems. > > >> But, if the above URI instead looked like >> 'urn:SAML:ac:classes:shared:mobile' (or >> 'urn:SAML:ac:classes:mobile:shared"), giving the SP this info, the >> implication appears that we need to extend all existing classes. >> > > Right. I agree, it's not ideal. What I'm not clear on is how else you could > do it. > > >> If the AuthnStatement allowed multiple AuthnContext elements (like the >> AuthnRequest does for RequestedAuthnContext) this wouldn't be an issue I >> think. >> > > Well, it can be handled on the assertion side more cleanly than on the > request side. In an assertion, you can actually express both a class and a > specific declaration. But on the request side, it's one or the other. > > Bottom line, I agree, but I don't see any other piece of the spec that could > work. Attributes don't give you any kind of meaningful hook into the SSO > request flow at the moment, and the only way to influence how the IdP > interacts with the user other than very coarsely is AuthnContext. > > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-302-1428 aim:PaulMdsn5
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]