Shibboleth Developers

[Tom Scavo <>]

On 9/30/05, Scott Cantor 
<>
 wrote:
>
> It seems like it suffers from the same basic problem as all the other use
> cases I've seen for the query do...why would you do it? If you've already
> authenticated to the grid service, why does it need a SAML assertion?

Well, our use case requires the value of AuthenticationMethod so the
first thought was to obtain an authentication assertion.  I can see
now, however, that may be fruitless since MyProxy will have to
communicate AuthenticationMethod when it registers the DN, so it may
as well just store AuthenticationMethod in the cert itself.

> About the only reason I could think of would be to do something with the
> AuthnContext feature, so it would be a SAML 2.0 thing,

We're stuck on SAML 1.1 for the foreseeable future, so
AuthenticationMethod is the best we can hope for.

> and it would still be
> something you could ship as a set of attributes anyway.

Yes, I suppose so.  Either that or put it in the cert.

> There is a lot of downside to SAML separating AuthnStatement from
> AttributeStatement. In practice, I think it doesn't work real well, and
> that's one reason AuthnQuery always seemed silly to me.

You're right, I guess.  It doesn't make much sense to process an
authentication assertion for a single attribute value.  If the
authentication assertion had some other use, that might be a different
story.

Thanks,
Tom