Force Specific RequestedAuthnContext Comparison Operator

cneberg cneberg at
Fri Apr 19 22:13:16 EDT 2019

What if no operator was explicitly requested?   Ie no exact, minimum,
maximum or better was specified in the request.  Does that change
anything?  Is there a way to treat it as minimum rather than exact?  Ie it
requires a password and I want to use a smart card.


On Fri, Apr 19, 2019 at 3:39 PM Cantor, Scott <cantor.2 at> wrote:

> That would also be causing it to violate the standard by abusing the
> definition of the operator that was specifically requested.
> Taking things that far you could just easily point its requests at the
> unsolicited endpoint via a CGI script, ignore the request altogether, and
> force the behavior you wanted at the IdP to begin with. It's not kosher,
> but our preference is to keep the IdP conformant and push that sort of
> breaking behavior outside of the system.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list