Re: [security-services] Question on SAML V2.0 Identity AssuranceProfiles ,Version 1.0

["Cantor, Scott E." <cantor.2@osu.edu>]

On 7/15/11 1:40 PM, "David Chadwick" <d.w.chadwick@kent.ac.uk> wrote:
>
>We have built a system which requires the LOA to be split into two
>components, the registration LOA and the authentication/login LOA.
>
>I's like to know if you have envisaged your CD to be used to represent
>this.

No, it's explicitly not allowable because the binding here is to
AuthenticationContext classes, which are singular in assertions without
getting into some edge cases.

>So could I for example send this in the IDP's metadata

No, because that's illegal syntactically. You can have multiple values,
but they're in parallel, not linked.

>Similarly we want to be able to send this dynamically in a SAML
>assertion. I presume it would be admissable there as well?

No.

-- Scott