[Concordia] AC/LoA summary and call for scenarios

Paul Madsen paulmadsen at rogers.com
Sat Aug 30 07:31:09 EDT 2008 

Hi Scott, from the proxys PoV, when it fills out the AuthnContext for its Assertion being sent back to the original RP, is it thinking

a) this is the authentication information as passed to me by the original authenticating authority, but mapped into SAML

b) this is the authentication information , which includes that which the authenticating authority sent me, but may also reflect how I received it

As you point out, the AuthenticatingAuthority element is meant to provide a history of the involved proxies, which to my mind supports the contention that the eventual authn context is meant to be the full story, and not just the first chapter .... 

Given that all OPs brand "openid" somewhere in their provider name (to appear in the AuthenticatingAuthority element), perhaps it will be self-evident to the SAML RP what protocol was used :-)

thanks

paul

 -- 
Paul Madsen                                              e:paulmadsen @ ntt-at.com
NTT                                                                   p:613-482-0432
                                                       m:613-302-1428
                                                       aim:PaulMdsn5
                                                       web:connectid.blogspot.com



----- Original Message ----
From: Scott Cantor <cantor.2 at osu.edu>
To: Paul Madsen <paulmadsen at rogers.com>; community at projectconcordia.org
Sent: Friday, August 29, 2008 3:21:58 PM
Subject: RE: [Concordia] AC/LoA summary and call for scenarios

> In other words, do the SAML Web SSO profile and the OpenID protocols
> deliver equivalent assurance to RPs in and of themselves, irrespective
> of what went on before they kick in (and acknowledging that NIST 4
> prohibits both of them.)

That's subjective. But the SAML assertion had better contain the appropriate
indication that proxying took place (the AuthenticatingAuthority element),
which is what tells the SP that in fact the AuthnContext it finds is really
from that guy, not the IdP.

SAML doesn't really have a profiled mechanism for saying "my AuthnContext is
X but the original authority's context is Y", so in general you don't have a
way to communicate what protocol was used by the proxy. The SP would need to
know that the proxy relied on OpenID based on knowledge that the
authenticating IdP was using that protocol.

-- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectconcordia.org/pipermail/community/attachments/20080830/6f5bad05/attachment-0003.html

More information about the Community mailing list