Assurance

[Jim Basney <>]

Hi,

I'm pleased to report that this morning the VT test IdP and CILogon test
SP successfully achieved Use Case 0:

> Use Case 0: SP requests Silver Qualifier and IdP returns Silver Qualifier.

When the CILogon test SP passed
authnContextClassRef=http://id.incommon.org/assurance/silver-test to the
Shibboleth SAML2 SessionInitiator to request the Silver test IAQ from
the VT test IdP, the resulting authenticated session contained:

HTTP_SHIB_AUTHNCONTEXT_CLASS=http://id.incommon.org/assurance/silver-test

When the CILogon test SP *didn't* pass an authnContextClassRef to the
SessionInitiator, the resulting authenticated session contained:

HTTP_SHIB_AUTHNCONTEXT_CLASS=urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

So I think we've demonstrated that the IdP can send the IAQ
conditionally based on the SP's request, and the SP can tell the difference.

Next steps as I see them:

* Test other IdPs with the CILogon test SP.

* On the CILogon test SP, figure out how to check the IdP's entity
descriptor in metadata to validate that the IdP asserting the IAQ is
actually certified to do so. Any advice/pointers on this appreciated.

* Demonstrate an IdP sending the Silver test IAQ for some users but not
for others, i.e., conditionally based on the user's authentication
method at the IdP or based on whether the user is marked as Silver-level
vetted in LDAP or ...

-Jim

P.S. Credit to Marvin Addison (VT) and Terry Fleury (CILogon) who did
the work while I just watched and learned.