[DG-Concordia] AuthnContext & PAPE & ICAM
Scott Cantor
cantor.2 at osu.edu
Tue Dec 15 10:06:19 EST 2009
Paul Madsen wrote on 2009-12-15:
> On the topic of the relevance of RequestedAuthnContext, this SAML profile
> (http://saml2int.org/profile/current) recommends against
> RequestedAuthnContext - citing interop concerns.
>
> But surely the argument that authncontext complicates interop could be
used
> against any policy parameter....
Policy tends not to scale well acrosss thousands of sites. The profile is
trying to identify features that are likely to cause errors if you don't
know in advance that they're likely to work. It's not the support for the
feature that's at issue, really, but the semantics of the classes you ask
for.
e.g. if you were to ask for some string signifying LOA 1, a whole bunch of
IdPs are going to be unable to respond to that simply because they aren't
part of the LOA framework you're using. That may be a good thing, of course.
-- Scott
More information about the DG-Concordia
mailing list