Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Question about technical implementation of Silver IAQs on Shibboleth IdPs

Subject: Assurance

List archive

Re: [Assurance] Question about technical implementation of Silver IAQs on Shibboleth IdPs


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To:
  • Subject: Re: [Assurance] Question about technical implementation of Silver IAQs on Shibboleth IdPs
  • Date: Thu, 19 Apr 2012 09:53:13 -0700 (PDT)


On Thu, 19 Apr 2012, Martin B. Smith wrote:

It seems like always asserting an assurance/IAQ value as our authncontext class means we lose almost all of the value of authncontext classes, especially when the IAQs don't imply anything about how the principal authenticated to the attribute authority.

As far as I can tell you have campus SPs that are using the ForceAuthn control in the AuthnRequest, and are wondering how that works with IAQs. Or are you using locally-defined AuthnContext classes? If it's just about ForceAuthn, I don't see that these are in conflict. SPs can ask for ForceAuthn as they always have, and they remain in the position of trusting that the IdP has honored that control.

In any case, it certainly may be that you have local requirements that are not met by the IA framework's levels (2, for the InC IA framework). This is not unlike campuses developing local person attribute definitions for local purposes. IA is intended, like eduPerson attribute schema, to provide methods that are broadly applicable across the federation between SPs and IdPs in different organizations. We would not expect, say, an SP like WebAssign to use the ForceAuthn control with InC IdPs.

- RL "Bob"




Archive powered by MHonArc 2.6.16.

Top of Page