Infrastructure

Similar to #2279, this should be set in the certificate for the subject, and not modified. Unlike verifiedUser, though, the MN can tell if a user is properly authenticated if they have a valid certificate from CILogon. So, its more reasonable for the MN to update this value. But it would be best practice if the CN identity service set the authenticated user in the equivalent identities list for consistency and to ease implementations for MNs. Reassigning to identify service and to Ben.

I disagree with Matt here. The identity manager does not know when or whether a Subject is "authenticated" -- this is entirely in the hands of CILogon. If the user can authenticate with CILogon, CILogon generates a certificate for the user. If the MN receives a valid [CILogon] certificate it should safely assume that the user is indeed "authenticated" since that is the point of utilizing certificates and CILogon.
The MN should then allow access to objects that have AccessRules defined for the "authenticatedUser" constant. It's true that this is similar to interpreting "equivalent identities" but since authentication is temporally dependent, we cannot safely encode that in the identity manager as an innate attribute of the given Person (as was hinted by Matt's suggestion that it be part of the SubjectInfo encoded in the certificate). I believe this ticket is correctly placed as a feature of [G]MN -- back to Dahl.
Note: this does not mean the MN is editing attributes of the Person, just to be clear. It's only about interpretation.

Implemented. Sorry for the confusion caused by the vague description in this ticket.