OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Additional Problems with SAML2 AuthnContext Schemas


It appears that there are still a few schema validity problems in the latest set of authentication context schemas (authn-ctx-schemas-03.zip).  All the issues are similar in nature to the ones that Bryan Field-Elliot brought up last week and involve invalid restrictions.  When a complex type is derived by restriction, the values represented by the new type must be a subset of the values represented by the base type.  Below is one example of the remaining problems.

 

A base type is defined in sstc-saml-schema-authn-context-types-2.0.xsd

 

  <xs:complexType name="PrincipalAuthenticationMechanismType">

    <xs:sequence>

      <xs:choice>

        <xs:element ref="Password"/>

        <xs:element ref="Token"/>

        <xs:element ref="Smartcard"/>

        <xs:element ref="ActivationPin"/>

        <xs:element ref="Extension" minOccurs="0"

          maxOccurs="unbounded"/>

      </xs:choice>

    </xs:sequence>

    <xs:attribute name="preauth" type="xs:integer" use="optional"/>

  </xs:complexType>

 

And in sstc-saml-schema-authn-context-softwarepki-2.0.xsd a new type is derived by restriction.

 

    <xs:complexType name="PrincipalAuthenticationMechanismType">

      <xs:complexContent>

        <xs:restriction base="PrincipalAuthenticationMechanismType">

          <xs:sequence>

            <xs:element ref="ActivationPin"/>

            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>

          </xs:sequence>

        </xs:restriction>

      </xs:complexContent>

    </xs:complexType>

 

 

The problem here is that the base type uses a choice and the derived type uses a sequence.  The sequence would allow the derived type to have a super set of the content defined in the base type and this is not allowed.  

 

 

One potential solution would be to change the restricted type like such:

 

    <xs:complexType name="PrincipalAuthenticationMechanismType">

      <xs:complexContent>

        <xs:restriction base="PrincipalAuthenticationMechanismType">

          <xs:choice>

            <xs:element ref="ActivationPin"/>

            <xs:element ref="Extension" minOccurs="1" maxOccurs="unbounded"/>

          </xs:choice>

        </xs:restriction>

      </xs:complexContent>

    </xs:complexType>

 

I’m fairly unfamiliar with the authentication stuff so I’m not sure if that solution would satisfy the original business intent but it does illustrate one potential way to work around the validity issues.

 

I ran across similar problems in all of the following schema files from authn-ctx-schemas-03.zip:

 

sstc-saml-schema-authn-context-pgp-2.0.xsd

sstc-saml-schema-authn-context-x509-2.0.xsd

sstc-saml-schema-authn-context-softwarepki-2.0.xsd

sstc-saml-schema-authn-context-spki-2.0.xsd

sstc-saml-schema-authn-context-srp-2.0.xsd:

sstc-saml-schema-authn-context-kerberos-2.0.xsd

sstc-saml-schema-authn-context-smartcardpki-2.0.xsd

sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd

sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd

sstc-saml-schema-authn-context-xmldsig-2.0.xsd

sstc-saml-schema-authn-context-sslcert-2.0.xsd

 

The following diff (where authn-ctx-schemas-03 is a directory with the expanded content of authn-ctx-schemas-03.zip and modified-ac-schemas contains the same files with my changes) shows the few minor changes I made to work around all the schema validity problems I found.  Again, I don’t know that these ‘fixes’ satisfy the original intent of the TC so they may not be acceptable.  But they do provide some context around the problem and one potential way to resolve the validity issues.

 

 

 

diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd modified-ac-schemas/sstc-saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd

68,75d67

<           <xs:sequence>

<             <xs:element ref="Password" minOccurs="1"/>

<             <xs:choice>

<               <xs:element ref="SharedSecretDynamicPlaintext"/>

<               <xs:element ref="SharedSecretChallengeResponse"/>

<             </xs:choice>

<             <xs:element ref="Extension" maxOccurs="unbounded"/>

<           </xs:sequence>

diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd modified-ac-schemas/sstc-saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd

68,75d67

<             <xs:sequence>

<               <xs:element ref="Password" minOccurs="1"/>

<               <xs:choice>

<                 <xs:element ref="SharedSecretDynamicPlaintext"/>

<                 <xs:element ref="SharedSecretChallengeResponse"/>

<               </xs:choice>

<               <xs:element ref="Extension" maxOccurs="unbounded"/>

<             </xs:sequence>

diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-smartcardpki-2.0.xsd modified-ac-schemas/sstc-saml-schema-authn-context-smartcardpki-2.0.xsd

63,64c63

<           <xs:sequence>

<             <xs:element ref="ActivationPin"/>                                                                                                        

---

>           <xs:choice>

65a65

>             <xs:element ref="ActivationPin"/>

67c67

<           </xs:sequence>

---

>           </xs:choice>

diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-softwarepki-2.0.xsd modified-ac-schemas/sstc-saml-schema-authn-context-softwarepki-2.0.xsd

63c63

<           <xs:sequence>

---

>           <xs:choice>

65,66c65,66

<             <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>

<           </xs:sequence>

---

>             <xs:element ref="Extension" minOccurs="1" maxOccurs="unbounded"/>

>           </xs:choice>

diff authn-ctx-schemas-03/sstc-saml-schema-authn-context-types-2.0.xsd modified-ac-schemas/sstc-saml-schema-authn-context-types-2.0.xsd

671c671,672

<         <xs:element ref="Extension" minOccurs="0"

---

>         <xs:element ref="RestrictedPassword"/>

>         <xs:element ref="Extension" minOccurs="0" 

 

I hope that the next draft iteration of the ac schemas will address these issues.

 

Thanks,

Brian Campbell

Ping Identity

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]