[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Alternative protocol models
Collegues,
Below are some possible schema fragments concerning the possible
arrangement of the toplevel elements in the assertion. My belief is that the
contentious issues (if any) concern the arrangement at this level rather
than the specific semantics of the component parts:
o SAML Assertion
SAML specifies several different types of assertion for different purposes,
these are:
Authentication Assertion
Attribute Assertion
Decision Assertion
The different types of SAML assertion are encoded in a common XML package
which at a minimum consists of:
Basic Information.
Each assertion MUST specify a unique identifier that serves as a
name for the assertion. In addition an assertion MAY specify the date and
time of issue and the time interval for which the assertion is valid.
Claims.
The claims made by the assertion. This document describes the use of
assertions to make claims for Authorization and Key Delegation applications.
In addition an assertion MAY contain the following additional elements. An
SAML client is not required to support processing of any element contained
in an additional element with the sole exception that an SAML client MUST
reject any assertion containing a Conditions element that is not supported.
Conditions.
The assertion status MAY be subject to conditions. The status of the
assertion might be dependent on additional information from a validation
service. The assertion may be dependent on other assertions being valid. The
assertion may only be valid if the relying party is a member of a particular
audience.
Advice.
Assertions MAY contain additional information as advice. The advice
element MAY be used to specify the assertions that were used to make a
policy decision.
The SAML assertion package is designed to facilitate reuse in other
specifications. For this reason XML elements specific to the management of
authentication and authorization data are expressed as claims. Possible
additional applications of the assertion package format include management
of embedded trust roots [XTASS] and authorization policy [XACML].
The <Assertion> element is specified by the following schema:
<element name="Assertion">
<complexType>
<sequence>
<!-- Basic Information -->
<element name="AssertionID" type="s0:AssertionID"/>
<element name="RequestID" type="s0:AssertionID"/>
<element name="Issuer" type="string"/>
<element name="ValidityInterval" type="s0:ValidityInterval"/>
<!-- Data -->
<element name="Claims" type="s0:Claims"/>
<element name="Conditions" type="s0:Conditions"/>
<element name="Advice" type="s0:Advice"/>
</sequence>
</complexType>
</element>
o SAML Request
* Request by Identifier or Location
An assertion MAY be requested by means of the assertion identifier or a
location in which the assertion is stored.
* Request by Query
An assertion MAY be requested by means of a query.
The query specifies the principal and the resources for which access is
requested by use of the claim element syntax. The information requested in
the response is specified by means of the Respond element described in
section 3.3.3.
[Discuss]
<element name="SAMLQuery">
<complexType>
<sequence>
<!-- Basic Information -->
<element name="RequestID" type="s0:AssertionID"/>
<element name="ValidityInterval" type="s0:ValidityInterval"/>
<!-- Data -->
<element name="Query" type="s0:Claims"/>
<element name="Conditions" type="s0:Conditions"/>
<element name="Advice" type="s0:Advice"/>
<element name="Respond" type="s0:Respond"/>
</sequence>
</complexType>
</element>
* Element <Respond>
The <Respond> element in the request specifies one or more strings included
in the request that specify data elements to be provided in the response.
The Service SHOULD return a requested data element if it is available. The
Service MAY return additional data elements that were not requested. In
particular, the service MAY return data elements specified in the request
with the response.
Defined identifiers include:
Identifier Description
Decision Return the result of the Query (True/False).
Static Specifies that the response may return any data element and omit the
RequestID specified in the request. Thus allowing the responder to return a
static pre-signed assertion.
ValidityInterval Return the ValidityInterval element
Conditions Return the assertion conditions
Claims Return the assertion claims
Advice Return additional advice elements
The <Respond> element is defined by the following schema:
<element name="Respond" >
<complexType>
<sequence>
<element name="string" type="string"
minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</complexType>
</element>
o SAML Response
[An alternative packaging that might be desirable would be to specify a
query response. In this case the natural location for the Request ID would
be here]
<element name="SAMLQuery Response">
<complexType>
<sequence>
<!-- Basic Information -->
<element name="RequestID" type="s0:AssertionID"/>
<element name="Decision" type="s0:Decision"/>
<element name="Assertion" type="s0:Assertion"/>
</sequence>
</complexType>
</element>
Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227 <<Phillip Hallam-Baker (E-mail).vcf>>
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC