Shibboleth Developers

[Ian Young <>]

SAML 1 defines some URIs for authentication methods so that the IdP can 
say how things got done.  For example, I've had things set up so that 
the authentication method reported is:

   urn:oasis:names:tc:SAML:1.0:am:password

The SAML 2 spec defines some new names, and in particular defines a name 
for roughly the same thing as the above plus a different one for 
password authentication over TLS:

   urn:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Now the way the new IdP is built, these names are involved in 
configuration of the IdP.  The result is that you'd normally end up 
sending that second thing above (or some other SAML 2 name) by default 
to all SPs, whether you're talking SAML 1 or SAML 2.

I guess that's OK in some sense, but I'm wondering whether there is some 
mileage in making it possible for the authentication method indicated to 
SAML 1 SPs to be different from the one indicated to SAML 2 SPs so as to 
avoid confusing people who are expecting the old name (not that there 
are a huge number of those, I'm sure).

Any thoughts?

        -- Ian