OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Attribute Authority information in AuthenticationAssertion propo sal

Title: Attribute Authority information in Authentication Assertion proposal

All,

Saml assumes that given an authentication assertion relying party can find attribute authority for
the authenticated subject.

In a more dynamic situation Authentication Authority can be placed in front of a number of Attribute Authorities. In this case Authentication Authority may want to direct relying parties to specific

Attribute Authorities.

This use case is suggested by Shibboleth.

Here is a proposal on how to refer to attribute authorities from within authentication assertion.
(This is a joint proposal with Scott Cantor and Marlena Erdos).

AuthorityBinding specifies the kind of authority and points to it via URI.

<element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
<complexType name="AuthorityBindingType">
        <attribute name="AuthorityKind">
                <simpleType>
                        <restriction base="string">
                                <enumeration value="authentication"/>
                                <enumeration value="attribute"/>
                                <enumeration value="authorization"/>
                        </restriction>
                </simpleType>
        </attribute>
        <attribute name="Binding" type="anyURI"/>
</complexType>

We can extend AuthenticationStatementType with the list of authority
bindings:
<element ref="saml:AuthorityBinding"
        minOccurs="0" maxOccurs="unbounded"/>

        <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
        <complexType name="AuthenticationStatementType">
                <complexContent>
                        <extension base="saml:SubjectStatementAbstractType">
                                <sequence>
                                        <element ref="saml:AuthenticationLocality" minOccurs="0"/>
                                        <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded" <--- addition

                                </sequence>
                                <attribute name="AuthenticationMethod" type="anyURI"/>
                                <attribute name="AuthenticationInstant" type="dateTime"/>
                        </extension>
                </complexContent>
        </complexType>

Simon Godik
Crosslogix, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC