[DG-Concordia] AuthnContext & PAPE & ICAM
Paul Madsen
paulmadsen at rogers.com
Mon Dec 14 10:32:04 EST 2009
In the SAML & OpenID deployment guideline [1] for proxying between
authncontext & PAPE, the fact that PAPE does not allow the RP to
stipulate a specific desired LOA has been a limitation - specifically in
the case where the proxy is trying to map from a SAML Authnrequest that
had a specified LOA class into an OpenID request. Currently, the
deployment guideline recommends the proxy fail the SAML request in this
situation
However, the ICAM OpenID [2] profile forgoes the PAPE LOA mechanism and
uses the more flexible authentication mechanism parameter to allow the
RP to specify the ICAM LOA1 policy on the OpenID request.
If the ICAM profile were to set a precedent for how PAPE is used to
carry LOA, then the above issue for proxying between SAML & OpenID is
mitigated.
Thoughts?
Paul
[1] - http://bit.ly/4R6CJh
[2] - http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
More information about the DG-Concordia
mailing list