[Openid-specs-ab] acr values
mike at gluu.org
mike at gluu.org
Tue Aug 13 01:03:39 UTC 2013
OX did invent something, which is why we wrote an emerging work wiki
page:
http://wiki.openid.net/w/page/66496701/Domain%20Specific%20Authentication%20Mode%20and%20Level
I think that amr is very close to what we proposed as auth_mode. I
agree its inflexible, but sometimes explicit specification is desirable.
In the current OIDC design, I don't see an equivalent for "auth_level."
This approach is widely used at many large organizations, as "siteminder
level." The idea is to provide the domain with a way to define the
relative strength of the authn workflows they provide. This is a
convenience for managing policies, and supporting the plethora of new
authn mechanisms that arise. The auth_level can be defined by the domain
or federation--it is not meant to be a globally meaningful value (that
is what ACR is for in my opinion).
Certainly OX will adopt the standards that arise... but having some
implementation feedback never hurts. My experience is that explaining
auth_mode and auth_level to developers makes sense to them.
thx,
Mike
PS: 3 more days to fund
More information about the Openid-specs-ab
mailing list