[openid-specs-rande] RAF expression in OIDC

Mischa Salle msalle at nikhef.nl
Fri Aug 30 13:34:33 UTC 2019 

Hi Nicolas, all,

> The amr claim was actually brought up during the RAF discussions but
> the argument against using that claim was that amr is more related to
> the authentication, which is not covered by RAF.
thanks, that makes sense.

> Expressing SFA/MFA through the acr claim certainly makes sense.
and in line with
https://wiki.refeds.org/pages/viewpage.action?pageId=38895661

> > which is more or less what Nikhef is now producing.
> > Additionally we also add some information such as the IGTF assurance
> > profile OID (typically https://igtf.net/ap/authn-assurance/birch /
> > urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
> >    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > or
> >    urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
> 
> I think that this type of information (e.g.
> PasswordProtectedTransport, TLSClient), which describes the actual
> authentication method, is probably a better fit for the amr claim. It
> is interesting that even in SAML, there are implementations that
> express this information through a custom "authnmethodsreferences"
> attribute:
> https://wiki.refeds.org/pages/viewpage.action?pageId=38895671
Ah, I had missed that one.

> But for purely RAF assurance profiles and component values
> ($PREFIX$/ID/IAP/ATP/profile), using the eduperson_assurance claim
> seems to be the standard way.
Right, perhaps good as a clarifying note somewhere, on OIDC, with a nice
example with all three: acr, amr and eduperson_assurance.

Cheers,
Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190830/c498a745/attachment.asc>

More information about the openid-specs-rande mailing list