[openid-specs-rande] RAF expression in OIDC
Mischa Salle
msalle at nikhef.nl
Fri Aug 30 13:34:33 UTC 2019
Hi Nicolas, all,
> The amr claim was actually brought up during the RAF discussions but
> the argument against using that claim was that amr is more related to
> the authentication, which is not covered by RAF.
thanks, that makes sense.
> Expressing SFA/MFA through the acr claim certainly makes sense.
and in line with
https://wiki.refeds.org/pages/viewpage.action?pageId=38895661
> > which is more or less what Nikhef is now producing.
> > Additionally we also add some information such as the IGTF assurance
> > profile OID (typically https://igtf.net/ap/authn-assurance/birch /
> > urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > or
> > urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
>
> I think that this type of information (e.g.
> PasswordProtectedTransport, TLSClient), which describes the actual
> authentication method, is probably a better fit for the amr claim. It
> is interesting that even in SAML, there are implementations that
> express this information through a custom "authnmethodsreferences"
> attribute:
> https://wiki.refeds.org/pages/viewpage.action?pageId=38895671
Ah, I had missed that one.
> But for purely RAF assurance profiles and component values
> ($PREFIX$/ID/IAP/ATP/profile), using the eduperson_assurance claim
> seems to be the standard way.
Right, perhaps good as a clarifying note somewhere, on OIDC, with a nice
example with all three: acr, amr and eduperson_assurance.
Cheers,
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190830/c498a745/attachment.asc>
More information about the openid-specs-rande
mailing list