Is an authnContextClassRef of "unspecified" the same as "PasswordProtectedTransport" ?
Cantor, Scott
cantor.2 at osu.edu
Sat Jan 28 18:12:41 GMT 2012
> On Fri, Jan 27, 2012 at 5:50 PM, Chad La Joie <lajoie at shibboleth.net> wrote:
> > "unspecified" means "any that you (the relying party) choose".
>
> Chad, can you provide a reference, please? Section 3.3.2.2.1 of SAML
> Core suggests otherwise.
The NameIDPolicy language is a better indicator of the logical intent behind an unspecified constant in a request. The only reason unspecified was defined as a context class was to address the requirement to have at least a class in every statement. It's the "null" indicator, and should work like the null indicator does in other areas.
Also happens to be a much better result, since it means you don't have to configure the IdP to explicitly handle it ahead of time.
I would hope that including it on the end of a list of other classes with exact matching would favor one of the others and then fall into picking one at random if that doesn't work. That's pretty much the best possible result for such a use case.
-- Scott
More information about the users
mailing list