...
- Discussion on the cas-dev mailing list: https://lists.wisc.edu/read/messages?id=18431743
- NIST Electronic Authentication Guideline
- Key areas of interest:
- Section 5: Registration and Issuance Process
- Section 6.3 - Token Assurance Levels (pp 48-54)
- Really, the whole document is very interesting and directly applicable
- Key areas of interest:
- E-Authenticaiton Authentication Guidelines for Federal Agencies
- Key areas of interest
- Section 2.2: This is an interesting discussion of risk assessment - addresses the question: "Why do we want LOA?"
- Section 2.4: Examples of various levels
- Key areas of interest
- Incommon Assurance Policies Bronze and Silver
- Key areas of interest
- Section 4.1: Summary of Identity Assurance Criteria
- Key areas of interest
- Authentication Contexts for SAML 2.0
- Key areas of interest
- Section 3.4: Authentication Context Classes list
- Key areas of interest
...
I do not understand what is the advantage of giving up SWF/MVC capability to deal with lower level concerns like state management, http request binding and validation over re-inventing custom mechanisms to do essentially the same. I'd rather concentrate on the business domain of authentication/assurance than re-inventing the wheel. (Dmitriy Kopylenko)
From Jérôme Leleu : I'd like to avoid pollution on this document, but this requires an answer. I may not have been very clear, but this document must be cross-read with the first LOA spec and for both, the reader must focus on concepts more than on technical implementations details which may be discussed futher. Last tuesday, we had a conf call and this point (using or not SWF) was a key discussion : if I understood everything clearly, we came to the loose agreement of using SWF.
An CredentialsGatherer is a way to get Credentials. Each CredentialsGatherer is defined to support a kind of Credentials it will return when called.
This concept replaces the AuthenticationViaFormAction and AbstractNonInteractiveCredentialsAction.
...