Identity Matters

The idea of Authentication Context, as defined by Liberty Alliance and SAML 2.0, has been a subject of some interest lately. As a way for Service Providers and Identity Providers to add additional meaning to an authentication dialogue, it has great practical value to businesses.  Dave Kearns recently wrote an interesting article about it in his newsletter, and he was inspired by a post on Paul Madsen's blog that touched on the subtle power of context.  Dave asked to see more examples from the vendor community, and that was inspiration enough for me.

At Symlabs, we see our customers using AuthnContext for information about how a user was provisioned in the first place, and also how the user was authenticated for the current session. This requirement came originally from our customers who are wireless operators, but it makes a lot of sense for other service providers as well.

Remember that it is possible to buy mobile phone service through a subscription (post-paid, with a contract), or anonymously (pre-paid, without a contract). It all comes down to liability - the type of "trust" that you would want to extend to an anonymous user who paid cash for a mobile phone from the local drug store versus a user that you know and have had a business relationship with for years.

There are times when the context can have liability implications, therefore it is important to set this context appropriately and based on the business relationship. For example, a company may have tiered partnerships (i.e., "platinum", "gold" and "silver") with other companies. The tier could then be one of the factors used to determine the maximum liability allowed for different ID assertions.

Symlabs was instrumental in getting the mobile authentication contexts defined, because our wireless operator customers requested our participation in this area. Generalizing what we learned from the mobile world, the Symlabs Federated Identity Suite can be configured with any business logic, factoring in any number of data sources to determine the appropriate authentication context to issue.

The SAML and Liberty specifications are silent regarding an aspect of authentication contexts that has practical value to a business: what their ranking should be, or rather, which one is better. Therefore, in Symlabs Federated Identity Suite we chose not to hardwire any ranking, but instead allow for the insertion of customized business logic to evaluate the ranking.

Last (but not least), through the use of flexible business logic, customers can create an implementation that delivers complete control by defining contexts and assigning semantics of their own, in any way they please. Symlabs Federated Identity Suite provides this powerful capability by allowing configuration of custom contexts that can participate in the ranking and business rules just like any official context.