OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SAML Authn Ctx Combination Spec

Title: RE: [security-services] SAML Authn Ctx Combination Spec

It would seem ok, but a bit awkward.

Would your example be changed to

<RequestedAuthnContexts RACComparison="all">
  <saml:AuthnContexxtClassRef...></..>
  <RequestedAuthnContexts RACComparison="exact"> 
    <saml:AuthnContexxtClassRef...></..>
  </RequestedAuthnContexts>
</RequestedAuthnContexts>

Is that whay you're trying to say?

Why not just have a top level (maxOccurs="1") RequestedAuthnContext element that then defines an unlimited number of RequestedAuthnContext elements that have a comparison operator attribute and contain the saml AuthnContextClassRef element. 

Do I need to satisfy all the RequestedAuthnContext elements in order to satisfy the RequestedAuthnContexts element? I.e., in your example you say this is an AND -- so I assume the answer is yes. I.e., you cannot express that you are requesting either AC-1 or AC-2 (exactly) in your schema.

Tom.

> -----Original Message-----
> From: Paul Madsen [mailto:paulmadsen@rogers.com]
> Sent: Thursday, July 06, 2006 4:29 PM
> To: Thomas Wisniewski
> Cc: OASIS SSTC
> Subject: Re: [security-services] SAML Authn Ctx Combination Spec
>
>
> Hi Tom, thanks for the review. Yes, there does appear to be a hitch
>
> The schema for RequestedAuthnContextsType is defined
> circularly so that
> there can be nested <RequestedAuthnContexts> elements.
>
> But, we also have a processing rules that says
>
> A sender MUST NOT include more than one <rac:RequestedAuthnContexts>
> extension element in a given request message.
>
>
> I think we can resolve the issue by changing the above text to
>
> A sender MUST NOT include more than one <rac:RequestedAuthnContexts>
> extension element in a given request message unless those multiple
> <rac:RequestedAuthnContexts> elements are nested.
>
> Thoughts?
>
> paul
>
>
> Thomas Wisniewski wrote:
> > Paul, Ashish, hi.
> > 
> > I'm reading the 5/18 spec (draft 2).
> > 
> > It seems like the text and the schema limit the
> RequestedAuthnContexts
> > to 1 instance per message. Yet the example xml and text clearly
> > require multiple instances of this element in order to
> function that
> > way you want it??
> > 
> > Tom.
> > 
> >
> > *Thomas Wisniewski*
> > Software Architect
> > Phone: (201) 891-0524
> > Cell: (201) 248-3668
> > 
> > Entrust̉
> > Securing Digital Identities
> > & Information
> >
> > 
> >
> ----------------------------------------------------------------------
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date:
> > 7/4/2006
> >  
>
> --
> Paul Madsen             e:paulmadsen @ ntt-at.com
> NTT                     p:613-482-0432
>                         m:613-302-1428
>                         aim:PaulMdsn5
>                         web:connectid.blogspot.com
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]