OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] SAML Authn Ctx Combination Spec

Thomas Wisniewski wrote:
>
> It would seem ok, but a bit awkward.
>
why?
>
> Would your example be changed to
>
> <RequestedAuthnContexts RACComparison="all">
>   <saml:AuthnContexxtClassRef...></..>
>   <RequestedAuthnContexts RACComparison="exact"> 
>     <saml:AuthnContexxtClassRef...></..>
>   </RequestedAuthnContexts>
> </RequestedAuthnContexts>
>
> Is that whay you're trying to say?
>
the example wouldn't change. I was proposing leaving the schema as is, 
merely loosening the text that disallowed multiple 
<RequestedAuthnContexts> elements in a message
>
> Why not just have a top level (maxOccurs="1") RequestedAuthnContext 
> element that then defines an unlimited number of RequestedAuthnContext 
> elements that have a comparison operator attribute and contain the 
> saml AuthnContextClassRef element.
>
So, something like

<complexType name="RequestedAuthnContextsType">
   <sequence>
        <element ref="RequestedAuthnContext" maxOccurs="unbounded"/> 
   </sequence>
</complexType>

<complexType name="RequestedAuthnContextType">
   <sequence>
        <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
   </sequence>
   <attribute name="RACComparison" type="anyURI" use="optional"/>
</complexType>

we wanted the comparison operator on the top-level element as well. 
Given that, we tried to minimize the number of new elements  by 
introducing the nesting.

Additionally, the above forces an SP to insert the 
<RequestedAuthnContext> element even when all they want to do is give a 
list of <AuthnContextClassRef>s they want combined.
>
> Do I need to satisfy all the RequestedAuthnContext elements in order 
> to satisfy the RequestedAuthnContexts element? I.e., in your example 
> you say this is an AND -- so I assume the answer is yes. I.e., you 
> cannot express that you are requesting either AC-1 or AC-2 (exactly) 
> in your schema.
>
the 'all' on the outermost <RequestedAuthnContexts> in the example 
requires you to satisfy both. We don't have an 'either' but neither does 
core SAML.
>
- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]