Shibboleth Developers

["Scott Cantor" <>]

Peter Williams wrote on 2009-02-26:
> Is there a restriction in the standard that limits forceauthn to  a class
of
> auth scheme with ceetain properties?

By my reckoning, it only applies to mechanisms that the IdP can guarantee
user interaction for. The standard is more vague and does not mandate user
interaction, only authentication. However, since isPassive DOES specify user
interaction (the lack of it), and forceAuthn is really its inverse, I don't
think my definition is a stretch. It's what people usually *say* they want
from it (pragmatic exceptions like Andre and Peter noted).

If there was broader agreement on their interpretation, I would imagine an
errata might be justified to clean up the language.

> Can this be configured in shib idp(inducing sgned errors to be returned
for
> those not so configured)?

Login handlers in the IdP have to be explicitly marked as supporting the
option. One IdP might consider SP-NEGO acceptable, and another might not.
 
-- Scott