[Concordia] Notes from 1 Apr 2008 Concordia call

Ari Kermaier ari.kermaier at oracle.com
Wed Apr 2 10:13:20 EDT 2008 

Why can't the Comparison attribute of the RequestedAuthnContext be used in these cases, e.g.

	<samlp:RequestedAuthnContext Comparison="minimum">
		<saml:AuthnContextClassRef>urn:...:incommon:bronze</saml:AuthnContextClassRef>
	</samlp:RequestedAuthnContext>

This works for LoA and similar systems as well, since these are typcally an ordered list based on "strength".

::Ari


> -----Original Message-----
> From: community-bounces at projectconcordia.org
> [mailto:community-bounces at projectconcordia.org]On Behalf Of 
> Scott Cantor
> Sent: Tuesday, April 01, 2008 2:23 PM
> To: 'Paul Madsen'
> Cc: 'Concordia Community list'
> Subject: Re: [Concordia] Notes from 1 Apr 2008 Concordia call
> 
> 
> > Do people (e.g. GSA, DK, etc) currently use attributes 
> because they see
> > them as a preferred mechanism, or because defining SAML 
> authn context
> > class schemas has been prohibitive (and scary)?
> 
> Partly it's because they're scary, partly it's because SAML 
> 1.1 didn't have
> it, partly it's because some products seemingly may not 
> expose the authn
> context as well as they expose attributes, and partly it's 
> because the field
> is viewed as necessarily multi-valued in order to prevent an 
> SP from needing
> to add all the possible LOA values it might need to accept at runtime.
> 
> Eric noted that you could pass a declaration by value that 
> used some kind of
> extension to carry multiple class URIs, but that's:
> 
> a. weird
> b. not easily processed by the application
> 
> > It's been my sense that the above groups recognize that 
> authn context is
> > preferred, and indicate a willingness to transition there ....
> 
> Well, at the moment, the multi-valued issue seems to be a 
> dealbreaker for
> the higher ed groups studying the question.
> 
> Concrete example:
> 
> We define InCommon bronze and silver, where silver also 
> implies bronze. Does
> the SP have to list both, or the does the IdP send both? If 
> the SP lists
> both, it will reject InCommon gold later. If the IdP sends 
> all of them, the
> SP keeps working. This is viewed as the better model by most 
> people. I'm
> somewhat on the fence about it.
> 
> -- Scott
> 
> 
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community
> 
> Participating in this discussion list does not grant any 
> intellectual property rights or any commitment by the 
> participants of the content discussed to any organization.
>

More information about the Community mailing list