[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] AuthnContextDecl and AuthnContextDeclRef
The Core spec (Section 1.3.2, lines 303-305) says: "Unless otherwise indicated in this specification, all URI reference values used within SAML-defined elements or attributes MUST consist of at least one non-whitespace character, and are REQUIRED to be absolute [RFC 2396]." We did away with (implicitly) allowing relative URIs after running into problems in V1.0, if I remember correctly. Eve Eric Tiffany wrote: > Another issue from our recent SAML testing. > > A question arose whether an IdP can use an unspecified authentication > context when the SP did not specify how it wished to be authenticated. One > vendor was returning in its authentication statement > > <saml:AuthnContext> > <saml:AuthnContextClassRef> > urn:oasis:names:tc:SAML:2.0:ac:classes:Password > </saml:AuthnContextClassRef> > <saml:AuthnContextDeclRef> > name/password/uri > </saml:AuthnContextDeclRef> > </saml:AuthnContext> > > Another vendor rejected this statement saying the URI is proprietary and > does not recognize it. They quoted from SAML Core 2.7.2.2Š > > ²<AuthnContextDecl> or <AuthnContextDeclRef> [Optional] Either an > authentication context declaration provided by value, or a URI reference > that identifies such a declaration. The URI reference MAY directly resolve > into an XML document containing the referenced declaration.² > > And from SAML Core 7.2.1 > > ³The following constructs in the assertion schema allow constructs from > arbitrary namespaces within them: <AuthnContextDecl>: Uses xs:anyType, which > allows any sub-elements and attributes.² > > > So there are a couple of issues: > > - The <AuthnContextDeclRef> in the example above is a relative URI, so it > is questionable whether it "identifies" a declaration, particularly in the > absence of any base URI. > > - The text describing AuthnContextDecl and AuthnContextDeclRef is a bit > confusing, since it says "either [...] a declaration provided by value, or a > URI reference". Of course the schema is clear on which is which, but an > implementer might be confused and think that either element may contain > either a URI or a anyType > > - In this case, where the SP didn't specify the AuthnContext in the > request, the IDP is free to do what it wants. However, perhaps there should > be some guidance about how this should be handled in practice. > > Consulted on the matter, Greg Whitehead noted that this was more of a > configuration issue where both parties needed to agree out-of-band rather > than a failure to be conformant to the standard. It might be worth adding > some language to this effect in the discussion of the > <RequestedAuthnContext> element (sec 3.4.1, line 2034 of saml core). > > Also, it might be worth clarifying the language at 2.7.2.2 so that the type > of the two elements is less ambiguous. > > ET > -- Eve Maler +1 425 947 4522 Technology Director eve.maler @ sun.com CTO Business Alliances group Sun Microsystems, Inc.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]