Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TF-OpenSpace – Session 2, room yellow.    12  12 February 2014. 

Lead by:  Ken (Internet2), Brook (TERENA), Kristof (NIIF)

...

Notes: Brook Schofield

Problem:

A merger of 3 topics:

  1. LoA on Attributes
  2. What (kinds of) attributes should a VO provide/manage?
  3. Solve the easy part of LoA: AuthNContext FTW!

 

For background information see Two Factor Authentication.

Authentication Context Tester from Roland Hedberg https://github.com/rohe/actester

 

What are all of the....

There are 25 different authentication contexts listed in http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

NameAuthentication ContextLoA Equivalent Level
Internet Protocolurn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol 
 urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered

 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract 
 urn:oasis:names:tc:SAML:2.0:ac:classes:Password 
 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportX
 urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:X509

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:PGP 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI 
 urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI 
 urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony

 
 

urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony

 
 urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony 
 urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword 
 urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient 
 urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken 
 urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified 

 

Multicontext ....

 

 

A - we can do that now... will the groups be happy about this?!?

 

Ken: USA Govt - another LoA class that is strong authentication with weak identity vetting.

 

Under 13 - knowledge base identity vetting..

 

"Limited liability persona"

 

Confyrm http://www.confyrm.com/ <-- no idea what they are doing!?!

 

 

Metadata Registration Practice Statement (how you register metadata within your federation)

Key Management Practice Statement (how you manage the metadata signing keys)

 

 

Template for MRPS

 

 

 

 

 

 

 

....

https://refeds.terena.org/index.php/REEP_Policy

 

 

 


[ACTION]  Nicole to ask the REFEDS list on the topic of AuthnContext