[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fixes for authn-context schema problems
This note describes rationale for the update to authn-context files which will be published shortly for vote on December 7. ----------------------------------------------------- Recall that the AuthNContext schema is structured in the following way: a core set of elements are provided in sstc-saml-schema-authn-context-2.0 and individual classes which then restrict these elements in particular ways (e.g., sstc-saml-schema-authn-context-pword-2.0.xsd). The technical problem with this approach (reported by Bryan Field-Elliott of Ping Identity and researched by Scott C. and John K.) is that each of the individual classes have their own namespace distinct from the parent namespace. This makes use of type restriction impossible in the manner used by these schemas. Unfortunately, a number of schema validators failed to pick up this problem. No, I am not going to name names but there is a proposal that all future schemas validate against a particular schema validator (SQC). An editorial meeting on December 6 discussed the problem and accepted the following solution: The authn-context schemas will be factored into three parts: (1) A set of utility types (no target namespace) (2) sstc-saml-schema-authncontext-2.0 (core auth context schema) (3) Individual classes which would define/restrict types found in (1). The schema in (2) includes the utility schema. The schemas in (3) "redefine" the base types in the utility schema to turn them into restricted versions of themselves that correspond to the context classes.