Assurance

["RL 'Bob' Morgan" <>]

On Thu, 19 Apr 2012, Martin B. Smith wrote:

> It seems like always asserting an assurance/IAQ value as our 
> authncontext class means we lose almost all of the value of authncontext 
> classes, especially when the IAQs don't imply anything about how the 
> principal authenticated to the attribute authority.

As far as I can tell you have campus SPs that are using the ForceAuthn 
control in the AuthnRequest, and are wondering how that works with IAQs. 
Or are you using locally-defined AuthnContext classes?  If it's just about 
ForceAuthn, I don't see that these are in conflict.  SPs can ask for 
ForceAuthn as they always have, and they remain in the position of 
trusting that the IdP has honored that control.

In any case, it certainly may be that you have local requirements that are 
not met by the IA framework's levels (2, for the InC IA framework).  This 
is not unlike campuses developing local person attribute definitions for 
local purposes.  IA is intended, like eduPerson attribute schema, to 
provide methods that are broadly applicable across the federation between 
SPs and IdPs in different organizations.  We would not expect, say, an SP 
like WebAssign to use the ForceAuthn control with InC IdPs.

 - RL "Bob"