[Concordia] Notes from 1 Apr 2008 Concordia call

[Scott Cantor]

> Do people (e.g. GSA, DK, etc) currently use attributes because they see
> them as a preferred mechanism, or because defining SAML authn context
> class schemas has been prohibitive (and scary)?

Partly it's because they're scary, partly it's because SAML 1.1 didn't have
it, partly it's because some products seemingly may not expose the authn
context as well as they expose attributes, and partly it's because the field
is viewed as necessarily multi-valued in order to prevent an SP from needing
to add all the possible LOA values it might need to accept at runtime.

Eric noted that you could pass a declaration by value that used some kind of
extension to carry multiple class URIs, but that's:

a. weird
b. not easily processed by the application

> It's been my sense that the above groups recognize that authn context is
> preferred, and indicate a willingness to transition there ....

Well, at the moment, the multi-valued issue seems to be a dealbreaker for
the higher ed groups studying the question.

Concrete example:

We define InCommon bronze and silver, where silver also implies bronze. Does
the SP have to list both, or the does the IdP send both? If the SP lists
both, it will reject InCommon gold later. If the IdP sends all of them, the
SP keeps working. This is viewed as the better model by most people. I'm
somewhat on the fence about it.

-- Scott