OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Authentication Method

John, the Authentication Context schema would likely provide the flexibility
you require, through a combination of <PrincipalAuthenticationMechanism> and
<Authenticator> elements

<xs:complexType name="AuthenticationMethodType">
	<xs:sequence>
		<xs:element ref="PrincipalAuthenticationMechanism"
minOccurs="0"/>
		<xs:element ref="Authenticator" minOccurs="0"/>
		<xs:element ref="AuthenticatorTransportProtocol"
minOccurs="0"/>
		<xs:element ref="Extension" minOccurs="0"
maxOccurs="unbounded"/>
	</xs:sequence>
</xs:complexType>

I'ts likely that the schema doesn;t currently adequately support Kerberos
though.

Liberty stipulated that the saml:AuthenticationMethod would logically
indicate 'see Authentication Context' with a value of
'urn:liberty:ac:2003-08.'

Regards

Paul

>-----Original Message-----
>From: John Hughes [mailto:john.hughes@entegrity.com]
>Sent: Friday, March 12, 2004 4:05 AM
>To: security-services@lists.oasis-open.org
>Subject: [security-services] Authentication Method
>
>
>As Tim and I complete the Kerberos Solution profiles doc - 
>ready for the
>16th - we have come across an issue we would like to raise - 
>in order to get
>some feedback.
>
>
>Kerberos currently - as far as the authentication method is 
>concerned - is
>identified by:   URI: urn:ietf:rfc:1510.
>
>However as a number of you may be aware Kerberos supports a number of
>authentication techniques, including PKI/X.509, username/pw, 
>and hardware
>tokens.  We believe this should be identified in the 
>assertion.  Hence we
>would like to have a set of AuthenticationMethods defined.  
>For instance:
>
>	URI: urn:ietf:rfc:1510   and
>	URI: urn:oasis:names:tc:SAML:1.0:am:password
>
>
>This requirement is not unique to Kerberos - but to any multi-factor
>authentication system
>
>Currently the schema permits only a single 
>AuthenticationMethod attribute
>
>
>
>Thoughts?
>
>
>John
>
>
>
>
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the 
>roster of the OASIS TC), go to 
>http://www.oasis-open.org/apps/org/workgroup/security-services/
members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]