Shibboleth Developers

["Barry R Ribbeck" <>]

All
Scott had spelled out this particular method earlier and it is appealing 
to me in that I don't have to change the apps so there is a scale value 
and the process works well within the existing scope of shib.  Good code 
weathers the changing tides well!  The authentication context could be a 
Hippa, DOD or .GOV concern where interactions require a higher LOA. At 
issue is the ability for the Target to be able to exercise some level of 
control of access base on authentication methods as opposed to just 
authorziation assertions.  X509 authentication does not necessarily 
provide LOA and there are additional trusts and processes for LOA that 
would have to be tested for at the origin and possibly asserted to the 
Target or a bridge function at the Origin. One thing that I would add is 
that if  x509 is the requirement for the asserted auth method, then it 
would be useful on the target side to request the authenticator's public 
key for logging purposes.

My 1.125 cents
Barry

> I simply check the auth method header Shib provides me and I know which
> policy was used.
>
> This will be much easier when it's part of the protocol, but web servers can
> do a lot of this for me today.
>
> Lastly, I'd always warn anyone doing this that I would never attack your
> authentication system to crack your medical application. I'd attack your
> application's session cookie. As long as the client is a browser, there's
> not all that much you can do except to use client certs and check the cert
> on every request.
>
> I think a really interesting question is why this authentication context
> stuff is so superficially appealing to people. I must be missing something.
> ;-)
>
> -- Scott
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature