Tom Poage tfpoage at
Sat Jan 7 01:15:29 GMT 2012

The SAML 2.0 Authentication Context spec mentions (sec 3.4.9)
"PasswordProtectedTransport ... is applicable when a principal
authenticates to an authentication authority through the presentation of
a password over a protected session."

Offhand, I don't see a definition of the term "protected session" in the

Can I assume that e.g. performing delegated SSO (CAS over https against
Kerberos) satisfies the definition of "protected session" for

I ask because, as others apparently have, we've been wrestling with The admin interface doesn't seem to allow one to turn
off RequestedAuthnContext in the AuthnRequest, so the only apparent (and
seemingly ugly) workaround is to add PasswordProtectedTransport to my
IdP's LoginHandler (handler.xml).


More information about the users mailing list