Assurance

["Martin B. Smith" <>]

On 04/19/2012 12:53 PM, RL 'Bob' Morgan wrote:
> On Thu, 19 Apr 2012, Martin B. Smith wrote:
>
> > It seems like always asserting an assurance/IAQ value as our
> > authncontext class means we lose almost all of the value of
> > authncontext classes, especially when the IAQs don't imply anything
> > about how the principal authenticated to the attribute authority.
>
> As far as I can tell you have campus SPs that are using the ForceAuthn
> control in the AuthnRequest, and are wondering how that works with IAQs.
> Or are you using locally-defined AuthnContext classes?  If it's just
> about ForceAuthn, I don't see that these are in conflict.  SPs can ask
> for ForceAuthn as they always have, and they remain in the position of
> trusting that the IdP has honored that control.

Hi Bob,

The advice I've usually seen about ForceAuthn in an AuthnRequest is that 
SPs should check both the AuthnContext (to be sure the method 'forced' 
was acceptable) and the AuthnInstant (to be sure the authentication 
happened within some tolerance for 'recent').

It sounds like we should switch that advice now to say, "just check the 
AuthnInstant." Originally, we were also dealing with SIDP-343:

 https://issues.shibboleth.net/jira/browse/SIDP-343

See the comment at "03/Sep/09 3:41 PM" there. It's also related to my 
original post here. Now we're on an IdP release where SIDP-343 is 
resolved, so I think we just need to advise folks to check only the 
AuthnInstant now.

Thanks all,
--
Martin B. Smith

 - (352) 273-1374
CNS/Open Systems Group
University of Florida

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature