OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: schema 16 comments: query by artifact, another argument

Title: schema 16 comments: query by artifact.
Another argument in support of QueryKey element:
 
Authentication query in schema 16 includes saml:ConfirmationMethod that is optionaly specified
by the relying party.
 
If we query authn assertion by artifact in the way it is currently defined we can not provide it.
 
ie Destination site using 'pull' browser profile will not be able to supply saml:ConfirmationMethod,
although it may wish to do so.
 
Using QueryKey element we can issue complete authn query.
 
Simon
-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Wednesday, September 05, 2001 6:21 PM
To: pbaker@verisign.com; 'pmishra@netegrity.com'
Cc: 'security-services@lists.oasis-open.org'
Subject: RE: schema 16 comments: query by artifact.

Corrections (sorry)
 
<element name="QueryKey" type="samlp:QueryKeyType"/>
 
<complexType name="QueryKeyType">
    ... same as below...
</complexType>
 
Simon Godik
-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Wednesday, September 05, 2001 5:46 PM
To: 'hallam@verisign.com'; 'pmishra@netegrity.com'
Cc: 'security-services@lists.oasis-open.org'
Subject: schema 16 comments: query by artifact.

Protocol schema 16 defines samlp:AssertionArtifact to satisfy browser profile flows.

In our descussions it was pointed out that different types of assertions could be requested by artifact:
authentication and attribute.

Current request schema does not let you specify what type of assertion is needed with
query by artifact. Moreover, if attribute assertion is desired we can not specify what attributes are to be returned.

To address these concerns I would like to propose samlp:QueryKey element that is a choice of
a subject or an artifact.

<complexType name="QueryKey">
        <choice>
                <element ref="saml:Subject"/>
                <element ref="samlp:AssertionArtifact"/>
        </choice>
</complexType>

To include this element in protocol schema we can either
1: redefine SubjectQueryAbstractType to include QueryKey:

<complexType name="SubjectQueryAbstractType" abstract="true">
        <complexContent>
                <extension base="samlp:QueryAbstractType">
                        <sequence>
                                <element ref="samlp:QueryKey"/>
                        </sequence>
                </extension>
        <complexContent>
</complexType>

2: Leave SubjectQueryAbstract type alone and create parallel query structure around QueryKey.

Simon Godik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC