[Concordia] AC/LoA summary and call for scenarios

[Scott Cantor]

> Hi Scott, from the proxys PoV, when it fills out the AuthnContext for its
> Assertion being sent back to the original RP, is it thinking
> 
> a) this is the authentication information as passed to me by the original
> authenticating authority, but mapped into SAML

That's how the proxying SSO processing rules are phrased, I believe, yes.

> b) this is the authentication information , which includes that which the
> authenticating authority sent me, but may also reflect how I received it

That's the part I don't think is really capturable without just using the
AuthnContext contents in a more complex way.

> As you point out, the AuthenticatingAuthority element is meant to provide
a
> history of the involved proxies, which to my mind supports the contention
> that the eventual authn context is meant to be the full story, and not
just
> the first chapter ....

I can see that viewpoint, but that makes it impractical to rely on classes,
and/or a concise representation of the circumstances.

> Given that all OPs brand "openid" somewhere in their provider name (to
> appear in the AuthenticatingAuthority element), perhaps it will be self-
> evident to the SAML RP what protocol was used :-)

Probably not something to rely on. I suspect it would have been worth
embedding a "protocol" attribute or something similar in the
AuthenticatingAuthority element.

-- Scott