Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Sorry about the gratuitous TLA dropping. :)

The main thing here is that it would be able to understand the difference between a "standard" login and a "silver required" one, and it can require different authentication methods (e.g., LoginHandlers) based on the authn request, even if the user is already authenticated to the IdP.  

--- Eric

Sent from my iPhone

On Nov 14, 2013, at 10:29 PM, "David Walker" <> wrote:

1. Brian, the Multi-Context Broker (MCB) is a Shib login handler that understands how to orchestrate multiple authentication contexts based on the SP's request, the user's certifications, and the hierarchy of contexts that satisfy other contexts' requirements (like Silver satisfies Bronze).  I've attached the slides I used to describe at ACAMP and CAMP this week.
2. Eric, yes, that sounds like it would work.  Clever idea.
3. Let's cancel tomorrow's call.  Most everyone will be at CAMP.

David

On Thu, 2013-11-14 at 22:19 +0000, Brian Arkills wrote:

What is MCB?

 

From: [] On Behalf Of Eric Goodman
Sent: Thursday, November 14, 2013 2:01 PM
To:
Subject: [AD-Assurance] MCB and AD Silver Cookbook

 

Hi all,

 

Just a thought…

 

If a campus were using the MCB, would that mean that they could enforce that Silver assertions are only generated from username/password based login events? Then they could use other authentication forms (Kerberos or NTLM via ADFS, SPNEGO, GSSAPI) when NOT asserting Silver but still be compliant with our interpretation and “needle threading”?

 

A possibly less-queasy-making option that popped into my head last night when I was processing/recapping what I’d picked up in the various ACAMP sessions.

 

--- Eric

<The Multi-Context Broker.pdf>