OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Does an Authentication Context URN actually reference an XML file?

Thanks again Scott.  Then, would it be fair to say that an assertion that contains just an <AuthnContextClassRef> is fairly useless:

 

        <AuthnContext>

            <AuthnContextClassRef>

                urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport

            </AuthnContextClassRef>

        </AuthnContext>

 

A useful assertion would identify both the class, as well as the URL to the actual XML file:

 

        <AuthnContext>

            <AuthnContextClassRef>

                urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport

            </AuthnContextClassRef>

            <AuthnContextDeclRef>

                http://www.AirlineInc.com/foo.xml

            </AuthnContextDeclRef>

        </AuthnContext>

 

Correct?

 

/Roger

 

 

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, May 04, 2006 11:35 AM
To: Costello, Roger L.; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Does an Authentication Context URN actually reference an XML file?

 

> The URN does not indicate the name of a resource (XML file)

> that contains details about how the authentication was accomplished. 

> 

> Correct?

 

Yes.

 

> The URN is just a label.  It is a label with this semantics

> "The subject was authenticated through the presentation of a

> password over a protected session."

>

> Correct?

 

I prefer to be technically precise and leave interpretation to others. What

it means is "the actual declaration instance, should it be known, is

schema-valid with respect to the schema associated with that class URN".

 

The class schemas restrict the possible content that can appear, apart from

extension points that are still open.

 

> Suppose that an IdP creates an XML document (let's call it

> foo.xml) which conforms to

> saml-schema-authn-context-ppt-2.0.xsd (this is the schema

> that has as its targetNamespace the above URN), and foo.xml

> contains all the details about how a Subject was

> authenticated.  Suppose that the IdP wants to tell the

> Relying Party, "The subject was authenticated through the

> presentation of a password over a protected session, and if

> you want to see the authentication details then view foo.xml

> at this URL _____".  How would this be expressed?

 

By adding the URL to foo.xml as the AuthnContextDeclRef element in the

statement.

 

-- Scott

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]