Assurance

["Scott O. Bradner" <>]

tnx - I will pass this on to the people who actually did the work ( :-) ) and 
let you know what they say

Scott

> On Mar 6, 2015, at 12:51 PM, Tom Scavo 
> <>
>  wrote:
> 
> Hi Scott,
> 
> On Fri, Mar 6, 2015 at 11:13 AM, Bradner, Scott 
> <>
>  wrote:
>> 
>>        Enhancing the Harvard Authentication System to Support InCommon 
>> Bronze
>>        
>> http://iam.harvard.edu/resources/authentication-system-incommon-bronze
> 
> I don't think anything I'm about to say has any effect on your Bronze
> certification but if I'm understanding the above document correctly
> (which is much appreciated, btw), your IdP is not conforming to the
> SAML specification. Here is a quote from your document:
> 
> <quote>
> Our IdP always gives Bronze assurance if the SP requests it. If the SP
> requests any assurance/authentication method other than InCommon
> Bronze, PasswordProtectedTransport, or unspecified (for example,
> InCommon Silver), the Harvard IdP always returns
> thePasswordProtectedTransport authentication method to the SP (note
> that this gives opensaml::FatalProfileException in a Shibboleth SP).
> </quote>
> 
> The relevant requirement from the SAML specification is: "If the
> <RequestedAuthnContext> element is present in the query, at least one
> <AuthnStatement> element in the set of returned assertions MUST
> contain an <AuthnContext> element that satisfies the element in the
> query"
> 
> The above quote is taken from section 3.3.2.2 (Element <AuthnQuery>)
> of the SAML2 core specification but I believe the requirement is
> relevant to the <AuthnRequest> element as well.
> 
> So an IdP must pay attention to the RequestedAuthnContext in the
> AuthnRequest. Either the IdP satisfies the request or returns an
> error. A conforming IdP does not have the option to substitute an
> AuthnContext that is not requested by the SP. Perhaps this is why the
> SP fails in the scenario noted above.
> 
> Tom