alternative-idp - Re: Capabilities of our alternative strategies
Subject: Alternative IdP Working Group
List archive
- From: David Walker <>
- To:
- Subject: Re: Capabilities of our alternative strategies
- Date: Tue, 30 Sep 2014 13:47:17 -0400
I agree with Chris. We need to be presenting the information. When
we actually get to writing up our results, we can figure out the
most effective presentation. I'll observe that most all of our Yes's have an implicit "if configured" caveat. That said, I've also indicated where that configuration involves adding (off the shelf) software. David On 09/30/2014 09:29 AM, Chris Phillips
wrote:
Been lurking on here for awhile, apologies for not being on the calls.. Maybe they could go, but from a business case (e.g. I need Multfactor for service X) it illustrates the can of worms exists instead of hide it under the carpet or it being absent during a comparative analysis. When assessing any path to take, I would highlight or call out that certain things are make or break decision areas and these may be them. The features exist for a reason and if that is unique to that space, it may be the sole reason for someone to adopt that implementation. If you take them out of the table for readability, no problem, but maybe create a separate section for Unique features' and give appropriate airtime compared to the larger table? C. On 14-09-30 9:16 AM, "Tom Scavo" wrote:On Sat, Sep 27, 2014 at 3:38 PM, David Walker wrote:I noticed a couple of columns where we might not be completely in agreement. Here are proposed interpretations: Support for Entity Categories (R&S). The issue here is whether the IdP can be configured to release attributes automatically to any SP in a specified Entity Category like R&S.AFAIK, Shibboleth is the only software in the world that can leverage entity attributes at the IdP. If that's true, then there isn't much point having such a column in the table.Support for Multiple AuthN Contexts for MFA and Assurance. The issue is whether the IdP can invoke different authentication methods based on authentication contexts specified in the SAML request (e.g., the Multi-Context Broker).Likewise this column is a can of worms and should probably be removed. First, the MCB is add-on software, not baked in, so I'm not sure it qualifies as an illustrative example. Moreover, I'd be very surprised if ANY software can process specific RequestedAuthnContext values out-of-the-box, especially for values not defined in the SAML2 Authentication Context spec. Tom |
Attachment:
signature.asc
Description: OpenPGP digital signature
- Capabilities of our alternative strategies, David Walker, 09/27/2014
- Re: Capabilities of our alternative strategies, Tom Scavo, 09/30/2014
- Re: Capabilities of our alternative strategies, Tom Scavo, 09/30/2014
- Re: Capabilities of our alternative strategies, Chris Phillips, 09/30/2014
- Re: Capabilities of our alternative strategies, David Walker, 09/30/2014
- Re: Capabilities of our alternative strategies, Chris Phillips, 09/30/2014
Archive powered by MHonArc 2.6.16.