PasswordProtectedTransport

[Nate Klingenstein]

Tom,

> Can I assume that e.g. performing delegated SSO (CAS over https  
> against
> Kerberos) satisfies the definition of "protected session" for
> PasswordProtectedTransport?

I think that should certainly qualify, yes.  It would be nice if the  
specification did say a bit more about that, but I don't know whether  
a very good encompassing definition could be easily written given the  
nuances of the wide variety of authentication techniques out there in  
the world.  I wasn't there for the writing of the spec and dunno  
whether this was wrestled over; maybe Scott will chime in.

> I ask because, as others apparently have, we've been wrestling with
> service-now.com. The admin interface doesn't seem to allow one to turn
> off RequestedAuthnContext in the AuthnRequest, so the only apparent  
> (and
> seemingly ugly) workaround is to add PasswordProtectedTransport to my
> IdP's LoginHandler (handler.xml).

It's probably not a bad idea to have it in there anyway, as you do in  
fact perform authentication by using a password over protected  
transport.  It's unfortunate that it's mandatory in this instance but  
I don't consider this ugly nor a workaround.

Hope this helps,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120107/6f93f86d/attachment.html