Authn Better Matching
Cantor, Scott
cantor.2 at osu.edu
Wed May 13 19:35:49 EDT 2015
On 5/13/15, 11:11 PM, "David Walker" <dhwprof at gmail.com> wrote:
>The way the MCB handles what I think you want to do is to allow you to
>specify which authentication contexts satisfy the requirements of other
>contexts. In this case, you'd specify that Silver satisfies Bronze, and
>then the MCB could use Silver authentication to satisfy an SP's request
>for Bronze.
That's not "better" matching, and actually doing that outright would be
incorrect in SAML, so I'm pretty sure it doesn't do that. It's using a
login method that satisfies either Silver or Bronze and returning one or
the other depending on the request. Asking for Bronze and returning Silver
would be a spec violation.
"Better" means actually upgrading to a stronger method and then returning
that method, and requires knowing what's better or worse, not just what's
equivalent.
I didn't think the MCB supported inexact matching, but I could be wrong.
Marvin was asking about V3 in any case.
>My memory is that the v3 IdP also has this concept, although I'm not
>finding it on a quick scan of the documentation. Scott, the
>gap analysis <https://wiki.shibboleth.net/confluence/x/EoEEAQ> we did
>says this can be done; can you confirm or deny?
https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationFlowSele
ction
-- Scott
>
More information about the users
mailing list