Authn Better Matching
cantor.2 at osu.edu
Wed May 13 19:35:49 EDT 2015
On 5/13/15, 11:11 PM, "David Walker" <dhwprof at gmail.com> wrote:
>The way the MCB handles what I think you want to do is to allow you to
>specify which authentication contexts satisfy the requirements of other
>contexts. In this case, you'd specify that Silver satisfies Bronze, and
>then the MCB could use Silver authentication to satisfy an SP's request
That's not "better" matching, and actually doing that outright would be
incorrect in SAML, so I'm pretty sure it doesn't do that. It's using a
login method that satisfies either Silver or Bronze and returning one or
the other depending on the request. Asking for Bronze and returning Silver
would be a spec violation.
"Better" means actually upgrading to a stronger method and then returning
that method, and requires knowing what's better or worse, not just what's
I didn't think the MCB supported inexact matching, but I could be wrong.
Marvin was asking about V3 in any case.
>My memory is that the v3 IdP also has this concept, although I'm not
>finding it on a quick scan of the documentation. Scott, the
>gap analysis <https://wiki.shibboleth.net/confluence/x/EoEEAQ> we did
>says this can be done; can you confirm or deny?
More information about the users