Skip to Content.
Sympa Menu

shibboleth-dev - RE: authentication authority

Subject: Shibboleth Developers

List archive

RE: authentication authority


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Tom Scavo'" <>, "'Shibboleth Development'" <>
  • Subject: RE: authentication authority
  • Date: Fri, 30 Sep 2005 12:17:16 -0400
  • Organization: The Ohio State University

> When a (non-browser) grid client requests a proxy certificate, MyProxy
> registers the DN with the Shib authentication authority (with TTL
> equal to that of the proxy cert). Later, when the grid client
> authenticates to the grid SP, an AuthenticationQuery with an
> X509SubjectName identifier is issued to the authentication authority.
> In response, the grid SP receives an authentication assertion. In
> addition, the authentication authority pushes an attribute assertion
> in the response. (Alternatively, the grid SP could make a separate
> request for attributes at a later time.)

It seems like it suffers from the same basic problem as all the other use
cases I've seen for the query do...why would you do it? If you've already
authenticated to the grid service, why does it need a SAML assertion?

About the only reason I could think of would be to do something with the
AuthnContext feature, so it would be a SAML 2.0 thing, and it would still be
something you could ship as a set of attributes anyway.

There is a lot of downside to SAML separating AuthnStatement from
AttributeStatement. In practice, I think it doesn't work real well, and
that's one reason AuthnQuery always seemed silly to me.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page