Missing words in -63C Section 6 introduction

Question

Missing words in -63C Section 6 introduction

Closed this issue 5 years ago · 1 comments

(Submitted by MITRE)

In 800-63C, Section 6, first sentence:

"An assertion used for authentication is a packaged set of attribute values or attribute references about or associated with an authenticated subscriber that is passed from the IdP to the RP in a federated identity system." doesn't actually say anything about the fact of authentication. As it stands, the IdP could pass some attributes and the RP must assume the subscriber authenticated successfully, by virtue of there being an assertion.

Suggest: Add something like "about the subscriber's successful authentication".

Answer 1 · 2019-02-26T15:52:57.000Z

In just about all federated systems, the fact that you're getting an assertion at all is indication that the authentication was successful. We need to be clear that the IdP can also make statements about the authentication action at the IdP within the assertion, but those specifics aren't required and will be protocol-specific.