assurance - Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved
Subject: Assurance
List archive
- From: Daniel Fisher <>
- To:
- Subject: Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved
- Date: Fri, 23 Sep 2011 13:49:36 -0400
Just wanted to follow up for those interested in the technical details of our silver assurance implementation:
tl;dr We used the RemoteUserLoginHandler (in our case CAS) to populate the authn_method request attribute in the IDP.
--Daniel Fisher
On Wed, Sep 21, 2011 at 11:58 AM, Ann West <> wrote:
Thanks Jim and Virginia Tech! That was quick work!
Sounds like the first milestone is well on its way to being met.
I'll get a doodle poll going for our next call.
Cheers!
Ann
----- Original Message -----
> Hi,
>
> I'm pleased to report that this morning the VT test IdP and CILogon
> test
> SP successfully achieved Use Case 0:
>
> > Use Case 0: SP requests Silver Qualifier and IdP returns Silver
> > Qualifier.
>
> When the CILogon test SP passed
> authnContextClassRef=http://id.incommon.org/assurance/silver-test to
> the
> Shibboleth SAML2 SessionInitiator to request the Silver test IAQ from
> the VT test IdP, the resulting authenticated session contained:
>
> HTTP_SHIB_AUTHNCONTEXT_CLASS=http://id.incommon.org/assurance/silver-test
>
> When the CILogon test SP *didn't* pass an authnContextClassRef to the
> SessionInitiator, the resulting authenticated session contained:
>
> HTTP_SHIB_AUTHNCONTEXT_CLASS=urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
>
> So I think we've demonstrated that the IdP can send the IAQ
> conditionally based on the SP's request, and the SP can tell the
> difference.
>
> Next steps as I see them:
>
> * Test other IdPs with the CILogon test SP.
>
> * On the CILogon test SP, figure out how to check the IdP's entity
> descriptor in metadata to validate that the IdP asserting the IAQ is
> actually certified to do so. Any advice/pointers on this appreciated.
>
> * Demonstrate an IdP sending the Silver test IAQ for some users but
> not
> for others, i.e., conditionally based on the user's authentication
> method at the IdP or based on whether the user is marked as
> Silver-level
> vetted in LDAP or ...
>
> -Jim
>
> P.S. Credit to Marvin Addison (VT) and Terry Fleury (CILogon) who did
> the work while I just watched and learned.
>
- [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Jim Basney, 09/21/2011
- Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Ann West, 09/21/2011
- Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Daniel Fisher, 09/23/2011
- Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Cantor, Scott, 09/21/2011
- Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Tom Scavo, 09/21/2011
- Re: [Assurance] interop testing: VT+CILogon Use Case 0 achieved, Ann West, 09/21/2011
Archive powered by MHonArc 2.6.16.