[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Summary] Does an Authentication Context URN actually reference an XML file?
Hi Folks,
Many thanks to Scott, Eric, and Nick for their help!
I would like to summarize what I've learned. I would appreciate
notification of any mistakes that I have made in my summary.
The purpose of an Authentication Context is to provide information
about an Identity Provider's security policies, and the particular
method that he used to identify a Subject.
For example, here is information that an Authentication Context may
contain:
- Passwords must be at least 8 characters in length and
must contain both upper and lower case letters. Passwords
must be changed at least every six months. And so forth.
- The Subject was authenticated through the presentation of
a password over a protected session.
Thus, an Authentication Context provides information about the context
in which an Identity Provider does authentication.
Before any SAML messages start flying between an Identity Provider and
a Service Provider, they get together and come to a business agreement.
The Identity Provider tells the Service Provider what kinds of security
policies he has. The Service Provider tells the Identity Provider what
kinds of security he needs. They come to some common understanding.
Their lawyers may write up some legal documents.
So actually the Authentication Context information has been established
long before any SAML messages start flying.
Nonetheless, if a Service Provider requests, say, authentication of
John Doe, the Identify Provider can respond with Authentication Context
information. Often, the Service Provider will ignore it.
Here is an example of Authentication Context information that an
Identity Provider sends to a Service Provider:
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport
</AuthnContextClassRef>
<AuthnContextDeclRef>
http://www.AirlineInc.com/foo.xml
</AuthnContextDeclRef>
</AuthnContext>
The way to read this is:
"The subject was authenticated through the presentation of a password
over a protected session, and if you want to see the authentication
details then view foo.xml at this URL:
http://www.AirlineInc.com/foo.xml";
Note that rather than giving a URL to an XML document which contains
all the Authentication Context information, you can inline that XML
document, e.g.,
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:2.0:ac:classes:PasswordProtectedTransport
</AuthnContextClassRef>
<AuthnContextDecl>
<AuthenticationContextDeclaration>
-- all the information goes in here --
</AuthenticationContextDeclaration>
</AuthnContextDecl>
</AuthnContext>
Comments? /Roger
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]