Cantor, Scott cantor.2 at
Sat Jan 7 01:34:00 GMT 2012

On 1/6/12 8:15 PM, "Tom Poage" <tfpoage at> wrote:
>Can I assume that e.g. performing delegated SSO (CAS over https against
>Kerberos) satisfies the definition of "protected session" for

It's fairly arbitary. Technically that's actually a proxy, with the actual
authentication done by some other entity, and the IdP the first proxy. But
the AuthnContext is intended to reflect the original authentication, and
PPT is appropriate. But when you hide the proxying, you can claim that for
the *IdP* as authenticating entity, the actual technology was CAS or

>I ask because, as others apparently have, we've been wrestling with
> The admin interface doesn't seem to allow one to turn
>off RequestedAuthnContext in the AuthnRequest, so the only apparent (and
>seemingly ugly) workaround is to add PasswordProtectedTransport to my
>IdP's LoginHandler (handler.xml).

You can turn it off by commenting it out of their script.

-- Scott

More information about the users mailing list