[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Authentication Method
John, the Authentication Context schema would likely provide the flexibility you require, through a combination of <PrincipalAuthenticationMechanism> and <Authenticator> elements <xs:complexType name="AuthenticationMethodType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator" minOccurs="0"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> I'ts likely that the schema doesn;t currently adequately support Kerberos though. Liberty stipulated that the saml:AuthenticationMethod would logically indicate 'see Authentication Context' with a value of 'urn:liberty:ac:2003-08.' Regards Paul >-----Original Message----- >From: John Hughes [mailto:john.hughes@entegrity.com] >Sent: Friday, March 12, 2004 4:05 AM >To: security-services@lists.oasis-open.org >Subject: [security-services] Authentication Method > > >As Tim and I complete the Kerberos Solution profiles doc - >ready for the >16th - we have come across an issue we would like to raise - >in order to get >some feedback. > > >Kerberos currently - as far as the authentication method is >concerned - is >identified by: URI: urn:ietf:rfc:1510. > >However as a number of you may be aware Kerberos supports a number of >authentication techniques, including PKI/X.509, username/pw, >and hardware >tokens. We believe this should be identified in the >assertion. Hence we >would like to have a set of AuthenticationMethods defined. >For instance: > > URI: urn:ietf:rfc:1510 and > URI: urn:oasis:names:tc:SAML:1.0:am:password > > >This requirement is not unique to Kerberos - but to any multi-factor >authentication system > >Currently the schema permits only a single >AuthenticationMethod attribute > > > >Thoughts? > > >John > > > > > > > > > >To unsubscribe from this mailing list (and be removed from the >roster of the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/security-services/ members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]