assurance - Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available
Subject: Assurance
List archive
Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available
Chronological Thread
- From: "Bradner, Scott" <>
- To: "" <>
- Subject: Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available
- Date: Fri, 6 Mar 2015 21:38:15 +0000
- Accept-language: en-US
- Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;
the wording might not have been as clear as it should have been - now updated
to show that the IdP does
the right thing
thanks for noticing the confusion
Scott
> On Mar 6, 2015, at 12:55 PM, Scott O. Bradner
> <>
> wrote:
>
> tnx - I will pass this on to the people who actually did the work ( :-) )
> and let you know what they say
>
> Scott
>
>> On Mar 6, 2015, at 12:51 PM, Tom Scavo
>> <>
>> wrote:
>>
>> Hi Scott,
>>
>> On Fri, Mar 6, 2015 at 11:13 AM, Bradner, Scott
>> <>
>> wrote:
>>>
>>> Enhancing the Harvard Authentication System to Support InCommon
>>> Bronze
>>>
>>> http://iam.harvard.edu/resources/authentication-system-incommon-bronze
>>
>> I don't think anything I'm about to say has any effect on your Bronze
>> certification but if I'm understanding the above document correctly
>> (which is much appreciated, btw), your IdP is not conforming to the
>> SAML specification. Here is a quote from your document:
>>
>> <quote>
>> Our IdP always gives Bronze assurance if the SP requests it. If the SP
>> requests any assurance/authentication method other than InCommon
>> Bronze, PasswordProtectedTransport, or unspecified (for example,
>> InCommon Silver), the Harvard IdP always returns
>> thePasswordProtectedTransport authentication method to the SP (note
>> that this gives opensaml::FatalProfileException in a Shibboleth SP).
>> </quote>
>>
>> The relevant requirement from the SAML specification is: "If the
>> <RequestedAuthnContext> element is present in the query, at least one
>> <AuthnStatement> element in the set of returned assertions MUST
>> contain an <AuthnContext> element that satisfies the element in the
>> query"
>>
>> The above quote is taken from section 3.3.2.2 (Element <AuthnQuery>)
>> of the SAML2 core specification but I believe the requirement is
>> relevant to the <AuthnRequest> element as well.
>>
>> So an IdP must pay attention to the RequestedAuthnContext in the
>> AuthnRequest. Either the IdP satisfies the request or returns an
>> error. A conforming IdP does not have the option to substitute an
>> AuthnContext that is not requested by the SP. Perhaps this is why the
>> SP fails in the scenario noted above.
>>
>> Tom
>
- [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Emily Eisbruch, 03/05/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Bradner, Scott, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Tom Scavo, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Scott O. Bradner, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Bradner, Scott, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Cantor, Scott, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Scott O. Bradner, 03/06/2015
- [Assurance] Community Contributions Page of the Assurance wiki, Emily Eisbruch, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Tom Scavo, 03/06/2015
- Re: [Assurance] March Assurance Call with Harvard and GW: Recording and Slides now available, Bradner, Scott, 03/06/2015
Archive powered by MHonArc 2.6.16.