Skip to Content.
Sympa Menu

mfa-interop - RE: [MFA-Interop] Software support for our MFA Interoperability authnContext value

Subject: MFA Interop Working Group

List archive

RE: [MFA-Interop] Software support for our MFA Interoperability authnContext value


Chronological Thread 
  • From: Eric Goodman <>
  • To: "Cantor, Scott" <>, Nicholas Roy <>, "" <>
  • Subject: RE: [MFA-Interop] Software support for our MFA Interoperability authnContext value
  • Date: Fri, 7 Oct 2016 20:50:20 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:z8JYUBHMjaCCo8FquzOhG51GYnF86YWxBRYc798ds5kLTJ75r8WwAkXT6L1XgUPTWs2DsrQf1LqQ7vurADFIyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnY6Uy/yPgttJ+nzBpWaz4Huj7jzqNXvZFACrzO7fbRoaF2NpgLNqoNe1YBrLLo20F2TinxTZqJbyX4+YRq1nh384cO559ZZ9DUY7/Q78N9oUKPmcr4+QKACSjkqLjZxrIfuuxCGTA2T62EbSk0XlBFPBg3C6lf9RJi7+n//uOM42S+GMNfxVZg1Xz+l6qJsTlnvkihRZBAj92SCp9Zxh+p0pxWtohV5i9r5eoCectV5ea/YdNUyWGFGRoBcWzEXUdD0VJcGE+dUZbUQlIL6vVZb6ELmXQQ=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Good point on SP enforcement, though I'll note that we were inconsistent on
that in other areas of the profile as well (see "ForceAuthn", which is
defined for IdP support but not SP enforcement).

I'll propose all three comments once I figure out where such comments should
be routed. (And yes that's a request for guidance on how to submit comments
if people have guidance to provide.)

--- Eric

-----Original Message-----
From:


[mailto:]
On Behalf Of Cantor, Scott
Sent: Friday, October 07, 2016 1:06 PM
To: Nicholas Roy;

Subject: RE: [MFA-Interop] Software support for our MFA Interoperability
authnContext value

> Seems like this is something that SSP should support if it doesn't,
> and I don't think that missing it should block adoption of this profile.
> The profile should drive software that doesn't support it, to support it.

This is basic SAML conformance stuff, but I think Eric more or less asked
just yesterday that the implementation profile go ahead and include explicit
requirements for this to call it out. There's also a more important and
generally overlooked piece, which is that if the SP requests it, it needs to
be able to enforce it (and if not, the application had better know that it
hasn't been enforced). That could be added to the implementation profile as
well.

-- Scott





Archive powered by MHonArc 2.6.19.

Top of Page