[Openid-specs-ab] acr values

John Bradley ve7jtb at ve7jtb.com
Tue Aug 13 02:06:23 UTC 2013


acr is not required to be globally meaningful just collision resistant if you are using it outside of a closed environment.  People can register globally understood values for it as well.

I suspect that auth_level is a subset of acr.  It is equivelent to the SAML Authentication Context Class Reference which is typically federation specific in practice though some things like FICAM have tried broader definitions.

Good to know you created the wiki page, I will have a look at it. However the WG is not monitoring that wiki.  I don't recall it coming up on the list or on any of the twice weekly calls.

There is a ticketing system for Connect WG.  Filing tickets is the best way to get a response.  

Thanks
John B.

On 2013-08-12, at 9:03 PM, mike at gluu.org wrote:

> OX did invent something, which is why we wrote an emerging work wiki page:
> http://wiki.openid.net/w/page/66496701/Domain%20Specific%20Authentication%20Mode%20and%20Level
> 
> I think that amr is very close to what we proposed as auth_mode. I agree its inflexible, but sometimes explicit specification is desirable.
> 
> In the current OIDC design, I don't see an equivalent for "auth_level." This approach is widely used at many large organizations, as "siteminder level." The idea is to provide the domain with a way to define the relative strength of the authn workflows they provide. This is a convenience for managing policies, and supporting the plethora of new authn mechanisms that arise. The auth_level can be defined by the domain or federation--it is not meant to be a globally meaningful value (that is what ACR is for in my opinion).
> 
> Certainly OX will adopt the standards that arise... but having some implementation feedback never hurts. My experience is that explaining auth_mode and auth_level to developers makes sense to them.
> 
> thx,
> 
> Mike
> 
> PS: 3 more days to fund
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130812/4add5ee8/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list