OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] SAML Authn Ctx Combination Spec

Thomas Wisniewski wrote:
> It would seem ok, but a bit awkward.
> Would your example be changed to
> <RequestedAuthnContexts RACComparison="all">
>   <saml:AuthnContexxtClassRef...></..>
>   <RequestedAuthnContexts RACComparison="exact"> 
>     <saml:AuthnContexxtClassRef...></..>
>   </RequestedAuthnContexts>
> </RequestedAuthnContexts>
> Is that whay you're trying to say?
the example wouldn't change. I was proposing leaving the schema as is, 
merely loosening the text that disallowed multiple 
<RequestedAuthnContexts> elements in a message
> Why not just have a top level (maxOccurs="1") RequestedAuthnContext 
> element that then defines an unlimited number of RequestedAuthnContext 
> elements that have a comparison operator attribute and contain the 
> saml AuthnContextClassRef element.
So, something like

<complexType name="RequestedAuthnContextsType">
        <element ref="RequestedAuthnContext" maxOccurs="unbounded"/> 

<complexType name="RequestedAuthnContextType">
        <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
   <attribute name="RACComparison" type="anyURI" use="optional"/>

we wanted the comparison operator on the top-level element as well. 
Given that, we tried to minimize the number of new elements  by 
introducing the nesting.

Additionally, the above forces an SP to insert the 
<RequestedAuthnContext> element even when all they want to do is give a 
list of <AuthnContextClassRef>s they want combined.
> Do I need to satisfy all the RequestedAuthnContext elements in order 
> to satisfy the RequestedAuthnContexts element? I.e., in your example 
> you say this is an AND -- so I assume the answer is yes. I.e., you 
> cannot express that you are requesting either AC-1 or AC-2 (exactly) 
> in your schema.
the 'all' on the outermost <RequestedAuthnContexts> in the example 
requires you to satisfy both. We don't have an 'either' but neither does 
core SAML.
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]