[Concordia] AC/LoA summary and call for scenarios

[Scott Cantor]

> In other words, do the SAML Web SSO profile and the OpenID protocols
> deliver equivalent assurance to RPs in and of themselves, irrespective
> of what went on before they kick in (and acknowledging that NIST 4
> prohibits both of them.)

That's subjective. But the SAML assertion had better contain the appropriate
indication that proxying took place (the AuthenticatingAuthority element),
which is what tells the SP that in fact the AuthnContext it finds is really
from that guy, not the IdP.

SAML doesn't really have a profiled mechanism for saying "my AuthnContext is
X but the original authority's context is Y", so in general you don't have a
way to communicate what protocol was used by the proxy. The SP would need to
know that the proxy relied on OpenID based on knowledge that the
authenticating IdP was using that protocol.

-- Scott