Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] RE: MCB and AD Silver Cookbook (also,. tomorrow's call CANCELED)

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] RE: MCB and AD Silver Cookbook (also,. tomorrow's call CANCELED)

Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] RE: MCB and AD Silver Cookbook (also,. tomorrow's call CANCELED)
  • Date: Fri, 15 Nov 2013 16:02:22 +0000
  • Accept-language: en-US

Ah ... I see. There are comparable technologies from vendors. Cisco has an add-on to their BigIP stack called Access Policy Manager that can orchestrate your entire authentication workflow based on business rules you give it (and since it is working at such a low layer it works for more than just authN). Microsoft's ADFSv3 (version just released) has context and SP aware authentication workflow too. And you can use this new ADFS capability with non-web applications in some situations (yeah, I was surprised about this too).


I've been noting this "authentication workflow" capability as an emerging trend over the past year, so it is interesting to hear of yet another. My team here hasn't been interested in the vendor offerings despite their obvious utility, but I imagine they'll return from Identity Week very interested in this open source option. :)


Creative thinking, Eric. Thanks for sharing. :)


From: [mailto:] On Behalf Of David Walker
Sent: Thursday, November 14, 2013 9:19 PM
Subject: Re: [AD-Assurance] RE: MCB and AD Silver Cookbook (also,. tomorrow's call CANCELED)


  1. Brian, the Multi-Context Broker (MCB) is a Shib login handler that understands how to orchestrate multiple authentication contexts based on the SP's request, the user's certifications, and the hierarchy of contexts that satisfy other contexts' requirements (like Silver satisfies Bronze).  I've attached the slides I used to describe at ACAMP and CAMP this week.
  1. Eric, yes, that sounds like it would work.  Clever idea.
  1. Let's cancel tomorrow's call.  Most everyone will be at CAMP.


On Thu, 2013-11-14 at 22:19 +0000, Brian Arkills wrote:

What is MCB?


From: [] On Behalf Of Eric Goodman
Sent: Thursday, November 14, 2013 2:01 PM
Subject: [AD-Assurance] MCB and AD Silver Cookbook


Hi all,


Just a thought…


If a campus were using the MCB, would that mean that they could enforce that Silver assertions are only generated from username/password based login events? Then they could use other authentication forms (Kerberos or NTLM via ADFS, SPNEGO, GSSAPI) when NOT asserting Silver but still be compliant with our interpretation and “needle threading”?


A possibly less-queasy-making option that popped into my head last night when I was processing/recapping what I’d picked up in the various ACAMP sessions.


--- Eric


Archive powered by MHonArc 2.6.16.

Top of Page