OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Attribute Authority information in AuthenticationAssertion propo sal

Title: Attribute Authority information in Authentication Assertion proposal


Saml assumes that given an authentication assertion relying party can find attribute authority for
the authenticated subject.

In a more dynamic situation Authentication Authority can be placed in front of a number of Attribute Authorities. In this case Authentication Authority may want to direct relying parties to specific

Attribute Authorities.

This use case is suggested by Shibboleth.

Here is a proposal on how to refer to attribute authorities from within authentication assertion.
(This is a joint proposal with Scott Cantor and Marlena Erdos).

AuthorityBinding specifies the kind of authority and points to it via URI.

<element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
<complexType name="AuthorityBindingType">
        <attribute name="AuthorityKind">
                        <restriction base="string">
                                <enumeration value="authentication"/>
                                <enumeration value="attribute"/>
                                <enumeration value="authorization"/>
        <attribute name="Binding" type="anyURI"/>

We can extend AuthenticationStatementType with the list of authority
<element ref="saml:AuthorityBinding"
        minOccurs="0" maxOccurs="unbounded"/>

        <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
        <complexType name="AuthenticationStatementType">
                        <extension base="saml:SubjectStatementAbstractType">
                                        <element ref="saml:AuthenticationLocality" minOccurs="0"/>
                                        <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded" <--- addition

                                <attribute name="AuthenticationMethod" type="anyURI"/>
                                <attribute name="AuthenticationInstant" type="dateTime"/>

Simon Godik
Crosslogix, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC