Versions Compared

Old Version 29

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 30

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Silver, so even if the IdP is tagged with http://id.incommon.org/assurance/silver in InCommon metadata, authentication for some users may result in an "AuthnFailed" response.

As an optimization, the SP may avoid issuing requests to IdPs that are not certified Silver, since these requests would always be rejected later anyway. The SP may locally block ("short-circuit") requests of this type. The SP may provide a local discovery interface that lists only IdPs with http://id.incommon.org/assurance/silver in InCommon metadata to constrain users to only choose Silver certified IdPs. Errors must be anticipated in any event.

Examples:

  • NSC Meteor Access for Financial AId

Anchor
bronze-required
bronze-required

UC1: SP Requires Bronze

The SP requires InCommon Bronze (or higher).

...

As usual, the SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Bronze or Silver, so even if the IdP is tagged with http://id.incommon.org/assurance/silver and/or http://id.incommon.org/assurance/bronze in InCommon metadata, authentication for some users may result in an "AuthnFailed" response.

As an optimization, the SP may avoid issuing requests to IdPs that are not certified Bronze, since these requests would always be rejected later anyway. The SP may locally block ("short-circuit") requests of this type. The SP may provide a local discovery interface that lists only IdPs with http://id.incommon.org/assurance/bronze in InCommon metadata to constrain users to only choose Bronze certified IdPs. Errors must be anticipated in any event.

Note:

Since Bronze is a subset of Silver, IdPs with http://id.incommon.org/assurance/silver in metadata will necessarily have http://id.incommon.org/assurance/bronze in metadata as well. Thus the SP may focus on Bronze while building to build its discovery interface.

Examples:

...