[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML Authn Ctx Combination Spec
It would seem ok, but a bit awkward.
Would your example be changed to
<RequestedAuthnContexts RACComparison="all">
<saml:AuthnContexxtClassRef...></..>
<RequestedAuthnContexts RACComparison="exact">
<saml:AuthnContexxtClassRef...></..>
</RequestedAuthnContexts>
</RequestedAuthnContexts>
Is that whay you're trying to say?
Why not just have a top level (maxOccurs="1") RequestedAuthnContext element that then defines an unlimited number of RequestedAuthnContext elements that have a comparison operator attribute and contain the saml AuthnContextClassRef element.
Do I need to satisfy all the RequestedAuthnContext elements in order to satisfy the RequestedAuthnContexts element? I.e., in your example you say this is an AND -- so I assume the answer is yes. I.e., you cannot express that you are requesting either AC-1 or AC-2 (exactly) in your schema.
Tom.
> -----Original Message-----
> From: Paul Madsen [mailto:paulmadsen@rogers.com]
> Sent: Thursday, July 06, 2006 4:29 PM
> To: Thomas Wisniewski
> Cc: OASIS SSTC
> Subject: Re: [security-services] SAML Authn Ctx Combination Spec
>
>
> Hi Tom, thanks for the review. Yes, there does appear to be a hitch
>
> The schema for RequestedAuthnContextsType is defined
> circularly so that
> there can be nested <RequestedAuthnContexts> elements.
>
> But, we also have a processing rules that says
>
> A sender MUST NOT include more than one <rac:RequestedAuthnContexts>
> extension element in a given request message.
>
>
> I think we can resolve the issue by changing the above text to
>
> A sender MUST NOT include more than one <rac:RequestedAuthnContexts>
> extension element in a given request message unless those multiple
> <rac:RequestedAuthnContexts> elements are nested.
>
> Thoughts?
>
> paul
>
>
> Thomas Wisniewski wrote:
> > Paul, Ashish, hi.
> >
> > I'm reading the 5/18 spec (draft 2).
> >
> > It seems like the text and the schema limit the
> RequestedAuthnContexts
> > to 1 instance per message. Yet the example xml and text clearly
> > require multiple instances of this element in order to
> function that
> > way you want it??
> >
> > Tom.
> >
> >
> > *Thomas Wisniewski*
> > Software Architect
> > Phone: (201) 891-0524
> > Cell: (201) 248-3668
> >
> > Entrust̉
> > Securing Digital Identities
> > & Information
> >
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date:
> > 7/4/2006
> >
>
> --
> Paul Madsen e:paulmadsen @ ntt-at.com
> NTT p:613-482-0432
> m:613-302-1428
> aim:PaulMdsn5
> web:connectid.blogspot.com
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]