Authn Better Matching

David Walker dhwprof at gmail.com
Thu May 14 15:28:55 EDT 2015 

Thanks, Scott.  Comments below...

David


On 05/13/2015 04:35 PM, Cantor, Scott wrote:
> On 5/13/15, 11:11 PM, "David Walker" <dhwprof at gmail.com> wrote:
>
>> The way the MCB handles what I think you want to do is to allow you to 
>> specify which authentication contexts satisfy the requirements of other 
>> contexts.  In this case, you'd specify that Silver satisfies Bronze, and 
>> then the MCB could use Silver authentication to satisfy an SP's request 
>> for Bronze.
> That's not "better" matching, and actually doing that outright would be 
> incorrect in SAML, so I'm pretty sure it doesn't do that. It's using a 
> login method that satisfies either Silver or Bronze and returning one or 
> the other depending on the request. Asking for Bronze and returning Silver 
> would be a spec violation.
>
> "Better" means actually upgrading to a stronger method and then returning 
> that method, and requires knowing what's better or worse, not just what's 
> equivalent.
>
> I didn't think the MCB supported inexact matching, but I could be wrong.

Right.  My reading of Marvin's use case was that he wanted to configure
the IdP so that a user who had previously authenticated for Silver
within a session would be able to access a Bronze-requiring SP later in
the session without further authentication.  As you indicated in your
earlier note, inexact matching is not the solution for this; I was
suggesting an alternative approach.  I agree that the implementation of
such a capability must return Bronze to the Bronze-requiring SP, not
Silver, in this example.  (And, yes, you're right that the MCB does not
support inexact matching.)

> Marvin was asking about V3 in any case.
>
>> My memory is that the v3 IdP also has this concept, although I'm not 
>> finding it on a quick scan of the documentation.  Scott, the
>> gap analysis <https://wiki.shibboleth.net/confluence/x/EoEEAQ> we did 
>> says this can be done; can you confirm or deny?
> https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationFlowSele
> ction
>
> -- Scott

OK, so it's the supportedPrincipals field of the
AuthenticationFlowDescriptor
<https://build.shibboleth.net/jenkins/job/java-identity-provider-nightly/javadoc/net/shibboleth/idp/authn/AuthenticationFlowDescriptor.html>,
right?  There's more to it than this (like assuring that only requested
authnContexts are returned to the SP), but I'm planning to draft an
overview of how one would convert an MCB configuration to v3 in the not
too distant future, so more details can be added at that point.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150514/7a93d342/attachment.html>

More information about the users mailing list