OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Issue DS-9-06 - Locating Authorities - text andschema changes

After conferring with Prateek, here are suggested schema changes and
text that clarify the use of the AuthorityBinding element and its
expected usage.

The schema for saml:AuthorityBindingType as defined in assertion-25 is:

<complexType name="AuthorityBindingType">
  <attribute name="AuthorityKind" type="saml:AuthorityKindType" />
  <attribute name="Binding" type="anyURI" />
</complexType>

To achieve proper interoperability, we should add an attribute to this
element type to specify the binding protocol supported by the Binding
URI, and also we should make all three attributes required. Leaving one
out would lack clear semantics.

The new type definition would be:

<complexType name="AuthorityBindingType">
  <attribute name="AuthorityKind" type="saml:AuthorityKindType"
use="required"/>
  <attribute name="Binding" type="anyURI" use="required"/>
  <attribute name="Protocol" type="anyURI" use="required"/>
</complexType>

In core-25, replace section 2.4.3.2 with the following text:

The <AuthorityBinding> element may be used to indicate to a relying
party receiving an AuthenticationStatement that a SAML authority may be
available to provide additional information about the subject of the
statement. A single SAML authority may advertise its presence over
multiple protocols, at multiple locations, and as more than one kind of
authority by sending multiple elements as needed.

AuthorityKind [Required]
The type of SAML authority (Authentication, Attribute, or Authorization
Decision) which is being advertised by the element. The kind of
authority corresponds to the derived type of SubjectQuery which the
authority expects to receive (and is likely to be able to successfully
answer) at the location being advertised. For example, a value of
"attribute" means that an AttributeQuery is expected.

Protocol [Required]
A URI identifying the SAML binding protocol to use in communicating with
the authority. All SAML protocols have an assigned URI.

Binding [Required]
A URI describing how to locate and communicate with the authority, the
exact syntax of which depends on the protocol in use. For example, a
binding based on HTTP will be a web URL, while a binding based on SMTP
might use the "mailto" scheme.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC