specifying auth context on the IdP side?

Cantor, Scott cantor.2 at osu.edu
Wed Oct 23 12:17:39 EDT 2013


On 10/23/13 12:07 PM, "Liam Hoekenga" <liamr at umich.edu> wrote:

>My concern is uncertainty re: whether we'd be specify the auth context
>with this application's native SAML support. Specifically, what if we
>can't specify the auth context (of our choice), but the app specifies
>one on it's own?  I guess that would be silly on the vendor's part..
>but I've seen worse decisions.

No matter what you do, the application (or SP in front) MUST verify the
method used after the fact. So the issue you mention is really one of
usability (not requesting something that would subsequently block the
user) but not security. If you don't check on the other end, you have a
hole no matter what the IdP does. This is nothing different from the
ForceAuthn discussion recently.

Also, the IdP for better or worse in 2.x favors SSO. Which means if you
configure multiple handlers, and the SP doesn't request one, the IdP will
reuse a result from an active method and not force the use of the
"default" for that RP.

So for all intents, if the SP can't request it, you'll likely have
usability problems.

-- Scott




More information about the users mailing list