[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Changes to fix text for "AuthenticationMethod" attribute.
Hi folks... Note that in addition to the changes in section 3.3.3 (AuthenticationQuery) we discussed on today's call, the changes to fix the AuthenticationMethod attribute issue also impacted section 7.1. Could folks please carefully review the text and let me know if I've screwed anything up. Jahan - in the errata, please also mention the impact on section 7.1. Section 3.3.3: Core draft 10 lines 1114-1128 are currently: ------------------------------------------ This element is of type AuthenticationQueryType, which extends SubjectQueryAbstractType with the addition of the following element: <AuthenticationMethod> [Optional] A filter for possible responses. If it is present, the query made is "What assertions containing authentication statements do you have for this subject with the supplied authentication method?" In response to an authentication query, a SAML authority returns assertions with authentication statements as follows: * Rules given in Section 3.4.4 for matching against the <Subject> element of the query identify the assertions that may be returned. * If the <AuthenticationMethod> element is present in the query, at least one <AuthenticationMethod> element in the set of returned assertions MUST match. It is OPTIONAL for the complete set of all such matching assertions to be returned in the response. * If any <RespondWith> elements are present and none of them contain "saml:AuthenticationStatement", then the SAML authority returns no assertions with authentication statements. (See Section 3.2.1.1 for more information.) ------------------------------------------ I've replaced the -10 text with: ------------------------------------------ This element is of type AuthenticationQueryType, which extends SubjectQueryAbstractType with the addition of the following attribute: AuthenticationMethod [Optional] If present, specifies a filter for possible responses. Such a query asks the question "What assertions containing authentication statements do you have for this subject with the supplied authentication method?" In response to an authentication query, a SAML authority returns assertions with authentication statements as follows: * Rules given in Section 3.4.4 for matching against the <Subject> element of the query identify the assertions that may be returned. * If the AuthenticationMethod attribute is present in the query, at least one <AuthenticationStatement> element in the set of returned assertions MUST contain an AuthenticationMethod attribute that matches the AuthenticationMethod attribute in the query. It is OPTIONAL for the complete set of all such matching assertions to be returned in the response. * If any <RespondWith> elements are present and none of them contain "saml:AuthenticationStatement", then the SAML authority returns no assertions with authentication statements. (See Section 3.2.1.1 for more information.) ------------------------------------------ Also... Section 7.1 referred to AuthenticationMethod as an element. So I've taken the editorial privilege to adjust that section as well even though we did not discuss it on the con-call. Please let me know of objections or suggested changes. The core draft 10 spec from lines 1826-1833 contained: ------------------------------------------ 7.1 Authentication Method Identifiers The <AuthenticationMethod> and <SubjectConfirmationMethod> elements perform different functions, although both can refer to the same underlying mechanisms. <AuthenticationMethod> is a part of an authentication statement, which describes an authentication act that occurred in the past. The <AuthenticationMethod> element indicates how that authentication was done. Note that the authentication statement does not provide the means to perform that authentication, such as a password, key, or certificate. In contrast, <SubjectConfirmationMethod> is a part of the <SubjectConfirmation> element, ... ------------------------------------------ I have changed this to: ------------------------------------------ 7.1 Authentication Method Identifiers The AuthenticationMethod attribute of an <AuthenticationStatement> and the <SubjectConfirmationMethod> element of a SAML subject perform different functions, although both can refer to the same underlying mechanisms. An authentication statement with an AuthenticationMethod attribute describes an authentication act that occurred in the past. The AuthenticationMethod attribute indicates how that authentication was done. Note that the authentication statement does not provide the means to perform that authentication, such as a password, key, or certificate. In contrast, <SubjectConfirmationMethod> is a part of the <SubjectConfirmation> element, ... ------------------------------------------ Rob Philpott RSA Security Inc. The Most Trusted Name in e-Security Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 mailto:rphilpott@rsasecurity.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]