Assurance

[Tom Scavo <>]

Hi Scott,

On Fri, Mar 6, 2015 at 11:13 AM, Bradner, Scott 
<>
 wrote:
>
>         Enhancing the Harvard Authentication System to Support InCommon 
> Bronze
>         
> http://iam.harvard.edu/resources/authentication-system-incommon-bronze

I don't think anything I'm about to say has any effect on your Bronze
certification but if I'm understanding the above document correctly
(which is much appreciated, btw), your IdP is not conforming to the
SAML specification. Here is a quote from your document:

<quote>
Our IdP always gives Bronze assurance if the SP requests it. If the SP
requests any assurance/authentication method other than InCommon
Bronze, PasswordProtectedTransport, or unspecified (for example,
InCommon Silver), the Harvard IdP always returns
thePasswordProtectedTransport authentication method to the SP (note
that this gives opensaml::FatalProfileException in a Shibboleth SP).
</quote>

The relevant requirement from the SAML specification is: "If the
<RequestedAuthnContext> element is present in the query, at least one
<AuthnStatement> element in the set of returned assertions MUST
contain an <AuthnContext> element that satisfies the element in the
query"

The above quote is taken from section 3.3.2.2 (Element <AuthnQuery>)
of the SAML2 core specification but I believe the requirement is
relevant to the <AuthnRequest> element as well.

So an IdP must pay attention to the RequestedAuthnContext in the
AuthnRequest. Either the IdP satisfies the request or returns an
error. A conforming IdP does not have the option to substitute an
AuthnContext that is not requested by the SP. Perhaps this is why the
SP fails in the scenario noted above.

Tom