Skip to Content.
Sympa Menu

mfa-interop - Re: [MFA-Interop] Software support for our MFA Interoperability authnContext value

Subject: MFA Interop Working Group

List archive

Re: [MFA-Interop] Software support for our MFA Interoperability authnContext value

Chronological Thread 
  • From: Nicholas Roy <>
  • To: Eric Goodman <>, "Cantor, Scott" <>, "" <>
  • Subject: Re: [MFA-Interop] Software support for our MFA Interoperability authnContext value
  • Date: Fri, 7 Oct 2016 14:53:10 -0600
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:AZOdgxybA5lrJsXXCy+O+j09IxM/srCxBDY+r6Qd0eIfIJqq85mqBkHD//Il1AaPBtqLra8fwLOL+4nbGkU+or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6aijSI4DUTAhTyMxZubqSwQ9aKzpf/6+fn1ofSaE1ngz2xZLp0ZEGbtwTa8OYRhodnI6AZ1xDOuj1Fd/kAgSsiDluVgxHmoo+L95l/724Y7/ko8dJHS+OgV6MjUPpVAClwdyh/4cPi8BjFUQaV4WM0U2MdlR9NBA6D6wv1FN+ltyXz8+t7xCSAOtXeTLY/XjGn6KEtTwXn3nQpLTk8pUfWgcx3iKtA6CimtlQrxZTTcamUMuZzZKXQYYlcSGZcCJUCHxddC5+xOtNcR9EKOvxV+syk/wMD
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

I'd recommend joining the Kantara WG-FI and contributing them there. Less places to track the conversation, and it would be good to have you in that 'room'.


On 10/7/16 2:50 PM, Eric Goodman wrote:
Good point on SP enforcement, though I'll note that we were inconsistent on that in
other areas of the profile as well (see "ForceAuthn", which is defined for
IdP support but not SP enforcement).

I'll propose all three comments once I figure out where such comments should
be routed. (And yes that's a request for guidance on how to submit comments
if people have guidance to provide.)

--- Eric

-----Original Message-----

On Behalf Of Cantor, Scott
Sent: Friday, October 07, 2016 1:06 PM
To: Nicholas Roy;

Subject: RE: [MFA-Interop] Software support for our MFA Interoperability
authnContext value

Seems like this is something that SSP should support if it doesn't,
and I don't think that missing it should block adoption of this profile.
The profile should drive software that doesn't support it, to support it.
This is basic SAML conformance stuff, but I think Eric more or less asked
just yesterday that the implementation profile go ahead and include explicit
requirements for this to call it out. There's also a more important and
generally overlooked piece, which is that if the SP requests it, it needs to
be able to enforce it (and if not, the application had better know that it
hasn't been enforced). That could be added to the implementation profile as

-- Scott

Archive powered by MHonArc 2.6.19.

Top of Page