Nate Klingenstein ndk at
Sat Jan 7 01:36:21 GMT 2012


> Can I assume that e.g. performing delegated SSO (CAS over https  
> against
> Kerberos) satisfies the definition of "protected session" for
> PasswordProtectedTransport?

I think that should certainly qualify, yes.  It would be nice if the  
specification did say a bit more about that, but I don't know whether  
a very good encompassing definition could be easily written given the  
nuances of the wide variety of authentication techniques out there in  
the world.  I wasn't there for the writing of the spec and dunno  
whether this was wrestled over; maybe Scott will chime in.

> I ask because, as others apparently have, we've been wrestling with
> The admin interface doesn't seem to allow one to turn
> off RequestedAuthnContext in the AuthnRequest, so the only apparent  
> (and
> seemingly ugly) workaround is to add PasswordProtectedTransport to my
> IdP's LoginHandler (handler.xml).

It's probably not a bad idea to have it in there anyway, as you do in  
fact perform authentication by using a password over protected  
transport.  It's unfortunate that it's mandatory in this instance but  
I don't consider this ugly nor a workaround.

Hope this helps,
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list