shibboleth-dev - authentication strength
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Shibboleth Development <>
- Subject: authentication strength
- Date: Wed, 15 Feb 2006 11:21:21 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nDzAUefc9Lp8tvv1HW7Okz6XgkJFfzMag80QpDz0njxROR9m0Ebz6v0T1Lg3osRCOQPzETpxnRRsp/JewkE+GJubInD0QWeRZc01t8qA/eao7KaIZACaHh2ioryW6Fbo7k68E6togevdMVnrA9mndhf2XtWHmLdb2zudx2wl3E0=
If various Grid/Shib discussions at GGF16 this week are any
indication, it seems grid architects are VERY concerned with the
"authentication strength" of a Shibboleth IdP. Is there anything that
can be done to alleviate this problem in the short term (while SAML
2.0 matures)?
AuthenticationStatement/@AuthenticationMethod is "supported" by
Shibboleth 1.3 (i.e., HTTP header SAMLAuthenticationMethod is captured
by the Shib 1.3 SSO protocol handler), but since a Shib 1.3 IdP is
protected by local authn, population of the SAMLAuthenticationMethod
header is a deployment issue. Unfortunately this is not discussed in
the Shib documentation (AFAIK) so typically the AuthenticationMethod
attribute comes across as unspecified in practice, which renders it
useless.
Possible values of the AuthenticationMethod attribute are defined by
the SAML 1.1 spec but Shibboleth protocols do not profile this
attribute. It would be helpful to relying parties if the specified
values of AuthenticationMethod were mapped to federation levels of
assurance. Not sure if this is a Shibboleth protocol issue or a
federation policy issue, but somewhere a mapping from
AuthenticationMethod to LOA should be specified.
So there are two things that could be done to address concerns
regarding strength of authentication:
1. Document HTTP header SAMLAuthenticationMethod in the Shib 1.3
deployment guides.
2. Either profile the use of the AuthenticationMethod attribute in the
Shibboleth profiles or map the SAML 1.1 values to LOA at the
federation level.
This is seen as a stopgap measure in anticipation of SAML 2.0, at
which point the rich AuthnContext framework becomes available.
Tom
- authentication strength, Tom Scavo, 02/15/2006
- RE: authentication strength, Ramanathan, Subbu, 02/15/2006
- Re: authentication strength, Walter Hoehn, 02/15/2006
- Re: authentication strength, Tom Scavo, 02/15/2006
- RE: authentication strength, Scott Cantor, 02/15/2006
- Re: authentication strength, Ian Young, 02/16/2006
- Re: authentication strength, Tom Scavo, 02/16/2006
- Re: authentication strength, Tom Scavo, 02/16/2006
- Re: authentication strength, Von Welch, 02/16/2006
- Re: authentication strength, Keith Hazelton, 02/16/2006
- Re: authentication strength, Tom Scavo, 02/19/2006
- Re: authentication strength, Keith Hazelton, 02/16/2006
- Re: authentication strength, Ian Young, 02/16/2006
- RE: authentication strength, Scott Cantor, 02/15/2006
- Re: authentication strength, Tom Scavo, 02/15/2006
Archive powered by MHonArc 2.6.16.