[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)
<complexType name="AuthnRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:Subject" minOccurs="0"/>
*<element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>*
<element ref="samlp:NameIDPolicy" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
<element ref="samlp:Scoping" minOccurs="0"/>
</sequence>
<attribute name="ForceAuthn" type="boolean" use="optional"/>
<attribute name="IsPassive" type="boolean" use="optional"/>
<attribute name="ProtocolBinding" type="anyURI" use="optional"/>
<attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
<attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="ProviderName" type="string" use="optional"/>
</extension>
</complexContent>
</complexType>
Met vriendelijke groet,
drs. Martijn Kaag
tel +31 (0) 88 01 20 222 | gsm +31 (0) 6 42 94 00 93 | skype martijn.kaag-connectis
On 12/10/14, 6:26 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote:
>
>The requirement to request attributes over a front end channel (either to
>facilitate consent or to allow for user interaction) if one that I
>encounter more often. A possible direction is to combine an AuthnRequest
>and AttributeQuery in one by extending
> AuthnRequestType with the zero or more <saml:Attribute>.
The reason the Extensions element was created in the schema was because
extending message types has no real benefit when it comes to getting off
the shelf code to work. If you have implementations that don't have any
customizability with respect to Extensions, that's basically a functional
limitation that has to be addressed if the code base has any hope of
longevity. OTOH, expecting SSO logic to handle arbitrary message types is
not realistic in practice.
So that's why a dedicated mechanism for extension of *existing* message
semantics was created.
TL,DR; extending AuthnRequest in the XML sense is a non-starter.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]