[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML Authn Ctx Combination Spec
Paul, I agree with your sentiments.
Perhaps I'm looking at a diff version (5/18/06), but what you are proposing obviously changes the schema and the example (you indicated that neither would change). The current spec proposes a single element RequestedAuthnContexts that was nested whereas the changes you propose below would indicate a list of RequestedAuthnContext elements inside a single RequestedAuthnContexts element. So the schema would changes as you indicated below and the example would change to
<RequestedAuthnContexts RACComparison="all">
<RequestedAuthnContext RACComparison="exact">
<saml:AuthnContextClassRef...></..>
</RequestedAuthnContext>
<RequestedAuthnContext RACComparison="exact">
<saml:AuthnContextClassRef...></..>
</RequestedAuthnContext>
</RequestedAuthnContexts>
Tom.
> -----Original Message-----
> From: Paul Madsen [mailto:paulmadsen@rogers.com]
> Sent: Friday, July 07, 2006 8:27 AM
> To: Thomas Wisniewski
> Cc: OASIS SSTC
> Subject: Re: [security-services] SAML Authn Ctx Combination Spec
>
>
> Thomas Wisniewski wrote:
> >
> > It would seem ok, but a bit awkward.
> >
> why?
> >
> > Would your example be changed to
> >
> > <RequestedAuthnContexts RACComparison="all">
> > <saml:AuthnContexxtClassRef...></..>
> > <RequestedAuthnContexts RACComparison="exact">
> > <saml:AuthnContexxtClassRef...></..>
> > </RequestedAuthnContexts>
> > </RequestedAuthnContexts>
> >
> > Is that whay you're trying to say?
> >
> the example wouldn't change. I was proposing leaving the
> schema as is,
> merely loosening the text that disallowed multiple
> <RequestedAuthnContexts> elements in a message
> >
> > Why not just have a top level (maxOccurs="1") RequestedAuthnContext
> > element that then defines an unlimited number of
> RequestedAuthnContext
> > elements that have a comparison operator attribute and contain the
> > saml AuthnContextClassRef element.
> >
> So, something like
>
> <complexType name="RequestedAuthnContextsType">
> <sequence>
> <element ref="RequestedAuthnContext" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <complexType name="RequestedAuthnContextType">
> <sequence>
> <element ref="saml:AuthnContextClassRef"
> maxOccurs="unbounded"/>
> </sequence>
> <attribute name="RACComparison" type="anyURI"
> use="optional"/> </complexType>
>
> we wanted the comparison operator on the top-level element as well.
> Given that, we tried to minimize the number of new elements by
> introducing the nesting.
>
> Additionally, the above forces an SP to insert the
> <RequestedAuthnContext> element even when all they want to do
> is give a
> list of <AuthnContextClassRef>s they want combined.
> >
> > Do I need to satisfy all the RequestedAuthnContext elements in order
> > to satisfy the RequestedAuthnContexts element? I.e., in
> your example
> > you say this is an AND -- so I assume the answer is yes. I.e., you
> > cannot express that you are requesting either AC-1 or AC-2
> (exactly)
> > in your schema.
> >
> the 'all' on the outermost <RequestedAuthnContexts> in the example
> requires you to satisfy both. We don't have an 'either' but
> neither does
> core SAML.
> >
> -
> Paul Madsen e:paulmadsen @ ntt-at.com
> NTT p:613-482-0432
> m:613-302-1428
> aim:PaulMdsn5
> web:connectid.blogspot.com
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]