OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Attribute Authority info in AuthenticationAssertion proposal (f2 f #5 action item)

Title: Attribute Authority info in Authentication Assertion proposal (f2f #5 action item)

Attribute Authority info in Authentication Assertion was discussed at f2f #5
and clarifying text was requested so that committee can vote on the issue.

original proposal was sent out on Monday, October 22, 2001 10:22AM

Context here is that Authentication Authority can front several Attribute Authorities
as in the case of Shibboleth. Authentication Authority should be able to point
to the correct Attribute Authority for authenticated subject by including information
about Attribute Authority in AuthenticationAssertion.

Proposed text:

SAML assumes that given authentication assertion relying party can find

attribute authority for the authenticated subject.

In a more dynamic situation Authentication Authority can be placed in front
of a number of Attribute Authorities. In this case Authentication Authority
may want to direct relying parties to the specific Attribute Authorities at the
time when authentication assertion is issued.

AuthorityBinding element specifies the type of authority (authentication, attribute,
authorization) and points to it via URI. AuthenticationStatementType contains optional
list of AuthorityBinding's. All AuthorityBinding's in the list must be of the 'attribute' type.
All authorities pointed to by the AuthorityBinding list must be queried by the relying party.

<element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
<complexType name="AuthorityBindingType">
        <attribute name="AuthorityKind">
                        <restriction base="string">
                                <enumeration value="authentication"/>
                                <enumeration value="attribute"/>
                                <enumeration value="authorization"/>
        <attribute name="Binding" type="anyURI"/>

        <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
        <complexType name="AuthenticationStatementType">
                        <extension base="saml:SubjectStatementAbstractType">
                                        <element ref="saml:AuthenticationLocality" minOccurs="0"/>
                                        <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded" <--- addition

                                <attribute name="AuthenticationMethod" type="anyURI"/>
                                <attribute name="AuthenticationInstant" type="dateTime"/>

Simon Godik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC