OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Alt. merged AuthnRequest schema

Here's an alternate take on my earlier idea in which it is just one request
message with different optional bits based on the use case.

Another difference in thinking is to leave the question of how impersonation
is represented to the SAML authority (or profiles, perhaps). This just
requests a new assertion and includes a hint about the authenticating entity
making the request (could be used to help interpret the credentials), and
optionally specifies the subject of the resulting assertion, the

Some of the AuthnRequest pieces still seem useful for the non-browser cases.
NameIDPolicy is a way of specifying a subject one way in the request but
asking that the token represent that subject in an alternate form. I doubt
ForceAuthn is of much use, but IsPassive could be. I'm not sure about

-- Scott

<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
<complexType name="AuthnRequestType">
        <extension base="samlp:RequestAbstractType">
                <element ref="samlp:AuthenticationIdentity" minOccurs="0"/>
                <element ref="samlp:AuthorizationIdentity" minOccurs="0"/>
                <element ref="samlp:NameIDPolicy" minOccurs="0"/>
                <element ref="saml:ConfirmationMethod" minOccurs="0"/>
                <element ref="saml:Conditions" minOccurs="0"/>
                <choice minOccurs="0">
                    <element ref="samlp:ForceAuthn"/>
                    <element ref="samlp:IsPassive"/>
                <element ref="samlp:RequestAuthnContext" minOccurs="0"/>
                <element ref="samlp:ProtocolProfile" minOccurs="0"/>
                <element ref="samlp:AssertionConsumerServiceID"
                <element ref="samlp:Scoping" minOccurs="0"/>
            <attribute ref="consent" use="optional"/>
<element name="AuthenticationIdentity" type="saml:NameIdentifierType"/>
<element name="AuthorizationIdentity" type="saml:Subject"/>
<element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
<complexType name="NameIDPolicyType">
    <attribute name="Format" type="anyURI" use="optional"/>
    <attribute name="SPNameQualifier" type="string" use="optional"/>
<simpleType name="AuthnContextComparisonType">
    <restriction base="string">
        <enumeration value="exact"/>
        <enumeration value="minimum"/>
        <enumeration value="better"/>
        <enumeration value="maximum"/>
<element name="RequestAuthnContext">
                <element name="AuthnContextClassRef" type="anyURI"
                <element name="AuthnContextStatementRef" type="anyURI"
            <element name="AuthnContextComparison"
type="AuthnContextComparisonType" minOccurs="0"/>
<element name="ForceAuthn" type="boolean"/>
<element name="IsPassive" type="boolean"/>
<element name="ProtocolProfile" type="anyURI"/>
<element name="AssertionConsumerServiceID" type="string"/>
<element name="Scoping" type="samlp:ScopingType"/>
<complexType name="ScopingType">
        <element ref="ProxyCount" minOccurs="0"/>
        <element ref="IDPList" minOccurs="0"/>
        <element ref="ReqProviderID" minOccurs="0" maxOccurs="unbounded"/>
<element name="ProxyCount" type="nonNegativeInteger"/>
<element name="ReqProviderID" type="string"/>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]