Sign up for this newsletter now!
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
- Share/Email
- Tweet This
- Print
Over the years I’ve been writing this newsletter, the concept of “context” comes up time and again. As I’ve often said, "context"
is a better (or, at least, a different) way of looking at identity transactions - the who, what, when, where, how (and perhaps
why) of an authentication or authorization. I may give the impression that I am somewhat focused on this concept. Some would
even say that I, perhaps, obsess about it. One friend even mentioned that he thought humorist Dave Barry was thinking of me
and context (or, “me in context”) when he said: "I argue very well. Ask any of my remaining friends. I can win an argument
on any topic, against any opponent. People know this, and steer clear of me at parties. Often, as a sign of their great respect,
they don't even invite me." My only plea is that I wish more folks with influence in identity management vendor circles would
take context more seriously.
That may be happening.
Paul Madsen is the co-chair of the Liberty Alliance Technical Expert Group. These are the folks who create the scenarios for
implementing the Alliance’s specifications. He wrote, for example, “Liberty ID-WSF People Service – federated social identity”.
Recently on his blog he discussed the SAML specification element AuthnContext. As he said: “Most people associate the element with capturing the
specifics of how the user authenticated to the IDP [identity provider], e.g. either using a password or (more meaningfully
for maximizing the value of the [single sign-on]) some stronger authentication technology like an OTP [one time password]
or smart card.” Generally, that’s the way I see most vendors using “context” when it comes to authentication, also.
But Madsen goes on to say: “But Authentication Context is far more powerful than merely describing this aspect of the authentication.
Authentication Context gives IDPs and [service providers] a language to discuss many other aspects of the context of the authentication,
including:
* The initial user identification mechanisms (for example, face-to-face, online, shared secret).
* The mechanisms for minimizing compromise of credentials (for example, credential renewal frequency, client-side key generation).
* The mechanisms for storing and protecting credentials (for example, smart card, password rules).
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Comment