OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] IDP Proxying & Distributed Authentication

Paul Madsen wrote:
> The scenario is that a SP stipulates an authn context for which two 
> authentication factors are required.
> The first IDP that receives the <AuthRequest> can only perform one of 
> the two factors, it proxies to another IDP for the second.
> Does SAML core forbid this?

Not unless the original SP constrains it from proxying.

> Can we interpret the above text as applying to each factor 
> independently. ie that the proxying IDP performs the above analysis for 
> each?

Sure, if it wants to. Handling the authentication is its business.

> Separately but related, existing Authn Context mechs in the 
> AuthnStatement appear limited in being able to describe 'who did what' 
> in such a distributed authentication case. There can be multiple 
> <AuthenticatingAuthority> elements, but all within a single 
> <AuthnContext>. The implication is that the proxying IDP would need to 
> create a single AuthnContext to reflect how the authentications were 
> distributed (even while acknowledging that the first IDP was involved in 
> some manner.)

True, though I could imagine many ways of passing information along, 
probably in Advice, to provide additional context. Dealing with stuff at the 
level of "who did what" seems fairly uncommon in the sense that people 
barely even use AuthnContext yet, let alone process them transactionally for 
data like that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]