PasswordProtectedTransport
Cantor, Scott
cantor.2 at osu.edu
Sat Jan 7 01:34:00 GMT 2012
On 1/6/12 8:15 PM, "Tom Poage" <tfpoage at ucdavis.edu> wrote:
>
>Can I assume that e.g. performing delegated SSO (CAS over https against
>Kerberos) satisfies the definition of "protected session" for
>PasswordProtectedTransport?
It's fairly arbitary. Technically that's actually a proxy, with the actual
authentication done by some other entity, and the IdP the first proxy. But
the AuthnContext is intended to reflect the original authentication, and
PPT is appropriate. But when you hide the proxying, you can claim that for
the *IdP* as authenticating entity, the actual technology was CAS or
whatever.
>I ask because, as others apparently have, we've been wrestling with
>service-now.com. The admin interface doesn't seem to allow one to turn
>off RequestedAuthnContext in the AuthnRequest, so the only apparent (and
>seemingly ugly) workaround is to add PasswordProtectedTransport to my
>IdP's LoginHandler (handler.xml).
You can turn it off by commenting it out of their script.
-- Scott
More information about the users
mailing list