[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Alt. merged AuthnRequest schema
Here's an alternate take on my earlier idea in which it is just one request message with different optional bits based on the use case. Another difference in thinking is to leave the question of how impersonation is represented to the SAML authority (or profiles, perhaps). This just requests a new assertion and includes a hint about the authenticating entity making the request (could be used to help interpret the credentials), and optionally specifies the subject of the resulting assertion, the AuthorizationIdentity. Some of the AuthnRequest pieces still seem useful for the non-browser cases. NameIDPolicy is a way of specifying a subject one way in the request but asking that the token represent that subject in an alternate form. I doubt ForceAuthn is of much use, but IsPassive could be. I'm not sure about RequestAuthnContext. -- Scott <element name="AuthnRequest" type="samlp:AuthnRequestType"/> <complexType name="AuthnRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="samlp:AuthenticationIdentity" minOccurs="0"/> <element ref="samlp:AuthorizationIdentity" minOccurs="0"/> <element ref="samlp:NameIDPolicy" minOccurs="0"/> <element ref="saml:ConfirmationMethod" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <choice minOccurs="0"> <element ref="samlp:ForceAuthn"/> <element ref="samlp:IsPassive"/> </choice> <element ref="samlp:RequestAuthnContext" minOccurs="0"/> <element ref="samlp:ProtocolProfile" minOccurs="0"/> <element ref="samlp:AssertionConsumerServiceID" minOccurs="0"/> <element ref="samlp:Scoping" minOccurs="0"/> </sequence> <attribute ref="consent" use="optional"/> </extension> </complexContent> </complexType> <element name="AuthenticationIdentity" type="saml:NameIdentifierType"/> <element name="AuthorizationIdentity" type="saml:Subject"/> <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/> <complexType name="NameIDPolicyType"> <sequence/> <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPNameQualifier" type="string" use="optional"/> </complexType> <simpleType name="AuthnContextComparisonType"> <restriction base="string"> <enumeration value="exact"/> <enumeration value="minimum"/> <enumeration value="better"/> <enumeration value="maximum"/> </restriction> </simpleType> <element name="RequestAuthnContext"> <complexType> <sequence> <choice> <element name="AuthnContextClassRef" type="anyURI" maxOccurs="unbounded"/> <element name="AuthnContextStatementRef" type="anyURI" maxOccurs="unbounded"/> </choice> <element name="AuthnContextComparison" type="AuthnContextComparisonType" minOccurs="0"/> </sequence> </complexType> </element> <element name="ForceAuthn" type="boolean"/> <element name="IsPassive" type="boolean"/> <element name="ProtocolProfile" type="anyURI"/> <element name="AssertionConsumerServiceID" type="string"/> <element name="Scoping" type="samlp:ScopingType"/> <complexType name="ScopingType"> <sequence> <element ref="ProxyCount" minOccurs="0"/> <element ref="IDPList" minOccurs="0"/> <element ref="ReqProviderID" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="ProxyCount" type="nonNegativeInteger"/> <element name="ReqProviderID" type="string"/>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]