[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Summary] Does an Authentication Context URN actually reference an XML file?
Hi Folks, Many thanks to Scott, Eric, and Nick for their help! I would like to summarize what I've learned. I would appreciate notification of any mistakes that I have made in my summary. The purpose of an Authentication Context is to provide information about an Identity Provider's security policies, and the particular method that he used to identify a Subject. For example, here is information that an Authentication Context may contain: - Passwords must be at least 8 characters in length and must contain both upper and lower case letters. Passwords must be changed at least every six months. And so forth. - The Subject was authenticated through the presentation of a password over a protected session. Thus, an Authentication Context provides information about the context in which an Identity Provider does authentication. Before any SAML messages start flying between an Identity Provider and a Service Provider, they get together and come to a business agreement. The Identity Provider tells the Service Provider what kinds of security policies he has. The Service Provider tells the Identity Provider what kinds of security he needs. They come to some common understanding. Their lawyers may write up some legal documents. So actually the Authentication Context information has been established long before any SAML messages start flying. Nonetheless, if a Service Provider requests, say, authentication of John Doe, the Identify Provider can respond with Authentication Context information. Often, the Service Provider will ignore it. Here is an example of Authentication Context information that an Identity Provider sends to a Service Provider: <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> <AuthnContextDeclRef> http://www.AirlineInc.com/foo.xml </AuthnContextDeclRef> </AuthnContext> The way to read this is: "The subject was authenticated through the presentation of a password over a protected session, and if you want to see the authentication details then view foo.xml at this URL: http://www.AirlineInc.com/foo.xml" Note that rather than giving a URL to an XML document which contains all the Authentication Context information, you can inline that XML document, e.g., <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> <AuthnContextDecl> <AuthenticationContextDeclaration> -- all the information goes in here -- </AuthenticationContextDeclaration> </AuthnContextDecl> </AuthnContext> Comments? /Roger
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]