Versions Compared

Old Version 28

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

compared with

New Version 29

changes.mady.by.user tfleury@illinois.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note that all of the above URIs will resolve to actual web pages at some point.

Anchor
IAQs
IAQs
IAQs in metadata

The following extension is the immediate child element of the IdP's <md:EntityEescriptor> element in metadata:

...

  • Some SPs may not be able to use the AuthnRequest mechanism due to software or other limitations. Are they simply out of luck?
    • One option may be to use additional software to generate requests on behalf of the broken SP, although this isn't guaranteed to work with all SPs. Otherwise, such SPs will be forced to rely on OOB configuration of IdPs.
  • How is the AuthnRequest configured using the Shib SP? The simpleSAMLphp SP?
    • Shibboleth SPs can rely on the authnContextClassRef setting to control the value requested when particular resources are accessed. To include multiple values in a request, the AuthnRequest "template" mechanism described in the SessionInitiator documentation can be used.
  • Boarding process: Since an IAQ in metadata makes a statement about certification (not live service), how does an SP determine that an IdP supports assurance operationally (ala attribute support)? One approach is to include <saml:Attribute> elements in IdP metadata. Other approaches?
    • There is no metadata support for this requirement. SPs should be able to handle errors returned by IdPs that indicate the requested assurance level was not supported. The federation should help establish guidelines for describing such errors, perhaps with a FAQ page that could be linked in.
  • Does the Shib SP software support the metadata check? Does the simpleSAMLphp SP?
    • The Shibboleth SP can extract and make available the entity attribute value in a variable along with user attributes, and use the variable in authorization policy. This is described under "metadata attribute extraction".
  • What matching rules are recommended, or acceptable?
  • How is an SP supposed to "know" that Silver is acceptable in lieu of Bronze? Is there a role for InCommon to provide "advice"?
  • How should an SP perform LoA escalation to allow for a need for increased LoA in an application when a user transitions from a context that needs little or no assurance, to a context that requires a higher LoA?

Example Use Case

This simple example shows how a Service Provider can request a silver-test assurance from an IdP which has been configured as shown in the IAQs in metadata section above.

IdP behavior

See Assurance - Identity Provider Behavior.

...