Authn Better Matching

Cantor, Scott cantor.2 at
Wed May 13 19:35:49 EDT 2015

On 5/13/15, 11:11 PM, "David Walker" <dhwprof at> wrote:

>The way the MCB handles what I think you want to do is to allow you to 
>specify which authentication contexts satisfy the requirements of other 
>contexts.  In this case, you'd specify that Silver satisfies Bronze, and 
>then the MCB could use Silver authentication to satisfy an SP's request 
>for Bronze.

That's not "better" matching, and actually doing that outright would be 
incorrect in SAML, so I'm pretty sure it doesn't do that. It's using a 
login method that satisfies either Silver or Bronze and returning one or 
the other depending on the request. Asking for Bronze and returning Silver 
would be a spec violation.

"Better" means actually upgrading to a stronger method and then returning 
that method, and requires knowing what's better or worse, not just what's 

I didn't think the MCB supported inexact matching, but I could be wrong.

Marvin was asking about V3 in any case.

>My memory is that the v3 IdP also has this concept, although I'm not 
>finding it on a quick scan of the documentation.  Scott, the
>gap analysis <> we did 
>says this can be done; can you confirm or deny?

-- Scott


More information about the users mailing list