[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Additional Problems with SAML2 AuthnContext Schemas
It appears that there are still a few schema validity
problems in the latest set of authentication context schemas (authn-ctx-schemas-03.zip).
All the issues are similar in nature to the ones that Bryan Field-Elliot brought
up last week and involve invalid restrictions. When a complex type is derived by restriction, the values
represented by the new type must be a subset of the values represented by the
base type. Below is one example of the remaining problems. A base type is defined in sstc-saml-schema-authn-context-types-2.0.xsd <xs:complexType
name="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:choice> <xs:element
ref="Password"/> <xs:element
ref="Token"/> <xs:element
ref="Smartcard"/> <xs:element
ref="ActivationPin"/> <xs:element
ref="Extension" minOccurs="0"
maxOccurs="unbounded"/> </xs:choice> </xs:sequence> <xs:attribute name="preauth"
type="xs:integer" use="optional"/> </xs:complexType> And in sstc-saml-schema-authn-context-softwarepki-2.0.xsd a
new type is derived by restriction. <xs:complexType
name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction
base="PrincipalAuthenticationMechanismType">
<xs:sequence>
<xs:element ref="ActivationPin"/>
<xs:element ref="Extension" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:restriction> </xs:complexContent> </xs:complexType> The problem here is that the base type uses a choice and the
derived type uses a sequence. The sequence would allow the derived type
to have a super set of the content defined in the base type and this is not
allowed. One potential solution would be to change the restricted
type like such: <xs:complexType
name="PrincipalAuthenticationMechanismType"> <xs:complexContent>
<xs:restriction base="PrincipalAuthenticationMechanismType">
<xs:choice>
<xs:element ref="ActivationPin"/>
<xs:element ref="Extension" minOccurs="1"
maxOccurs="unbounded"/>
</xs:choice>
</xs:restriction> </xs:complexContent> </xs:complexType> I’m fairly unfamiliar with the authentication stuff so
I’m not sure if that solution would satisfy the original business intent
but it does illustrate one potential way to work around the validity issues. I ran across similar problems in all of the following schema
files from authn-ctx-schemas-03.zip: sstc-saml-schema-authn-context-pgp-2.0.xsd sstc-saml-schema-authn-context-x509-2.0.xsd sstc-saml-schema-authn-context-softwarepki-2.0.xsd sstc-saml-schema-authn-context-spki-2.0.xsd sstc-saml-schema-authn-context-srp-2.0.xsd: sstc-saml-schema-authn-context-kerberos-2.0.xsd sstc-saml-schema-authn-context-smartcardpki-2.0.xsd sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd sstc-saml-schema-authn-context-xmldsig-2.0.xsd sstc-saml-schema-authn-context-sslcert-2.0.xsd The following diff (where authn-ctx-schemas-03 is a
directory with the expanded content of authn-ctx-schemas-03.zip
and modified-ac-schemas contains the same files with my changes) shows the few
minor changes I made to work around all the schema validity problems I found.
Again, I don’t know that these ‘fixes’ satisfy the original intent
of the TC so they may not be acceptable. But they do provide some context
around the problem and one potential way to resolve the validity issues. diff
authn-ctx-schemas-03/sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd
modified-ac-schemas/sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd 68,75d67 <
<xs:sequence> <
<xs:element ref="Password" minOccurs="1"/> <
<xs:choice> <
<xs:element ref="SharedSecretDynamicPlaintext"/> <
<xs:element ref="SharedSecretChallengeResponse"/> <
</xs:choice> <
<xs:element ref="Extension" maxOccurs="unbounded"/> < </xs:sequence> diff
authn-ctx-schemas-03/sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd
modified-ac-schemas/sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd 68,75d67 <
<xs:sequence> <
<xs:element ref="Password" minOccurs="1"/> <
<xs:choice> <
<xs:element ref="SharedSecretDynamicPlaintext"/> <
<xs:element ref="SharedSecretChallengeResponse"/> <
</xs:choice> <
<xs:element ref="Extension" maxOccurs="unbounded"/> <
</xs:sequence> diff
authn-ctx-schemas-03/sstc-saml-schema-authn-context-smartcardpki-2.0.xsd
modified-ac-schemas/sstc-saml-schema-authn-context-smartcardpki-2.0.xsd 63,64c63 <
<xs:sequence> <
<xs:element ref="ActivationPin"/> --- >
<xs:choice> 65a65 >
<xs:element ref="ActivationPin"/> 67c67 <
</xs:sequence> --- >
</xs:choice> diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-softwarepki-2.0.xsd
modified-ac-schemas/sstc-saml-schema-authn-context-softwarepki-2.0.xsd 63c63 <
<xs:sequence> --- >
<xs:choice> 65,66c65,66 <
<xs:element ref="Extension" minOccurs="0"
maxOccurs="unbounded"/> <
</xs:sequence> --- >
<xs:element ref="Extension" minOccurs="1"
maxOccurs="unbounded"/> >
</xs:choice> diff
authn-ctx-schemas-03/sstc-saml-schema-authn-context-types-2.0.xsd
modified-ac-schemas/sstc-saml-schema-authn-context-types-2.0.xsd 671c671,672 <
<xs:element ref="Extension" minOccurs="0" --- >
<xs:element ref="RestrictedPassword"/> >
<xs:element ref="Extension" minOccurs="0" I hope that the next draft iteration of the ac schemas will
address these issues. Thanks, Brian Campbell Ping Identity |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]