[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML Authn Ctx Combination Spec
Thomas Wisniewski wrote: > > It would seem ok, but a bit awkward. > why? > > Would your example be changed to > > <RequestedAuthnContexts RACComparison="all"> > <saml:AuthnContexxtClassRef...></..> > <RequestedAuthnContexts RACComparison="exact"> > <saml:AuthnContexxtClassRef...></..> > </RequestedAuthnContexts> > </RequestedAuthnContexts> > > Is that whay you're trying to say? > the example wouldn't change. I was proposing leaving the schema as is, merely loosening the text that disallowed multiple <RequestedAuthnContexts> elements in a message > > Why not just have a top level (maxOccurs="1") RequestedAuthnContext > element that then defines an unlimited number of RequestedAuthnContext > elements that have a comparison operator attribute and contain the > saml AuthnContextClassRef element. > So, something like <complexType name="RequestedAuthnContextsType"> <sequence> <element ref="RequestedAuthnContext" maxOccurs="unbounded"/> </sequence> </complexType> <complexType name="RequestedAuthnContextType"> <sequence> <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/> </sequence> <attribute name="RACComparison" type="anyURI" use="optional"/> </complexType> we wanted the comparison operator on the top-level element as well. Given that, we tried to minimize the number of new elements by introducing the nesting. Additionally, the above forces an SP to insert the <RequestedAuthnContext> element even when all they want to do is give a list of <AuthnContextClassRef>s they want combined. > > Do I need to satisfy all the RequestedAuthnContext elements in order > to satisfy the RequestedAuthnContexts element? I.e., in your example > you say this is an AND -- so I assume the answer is yes. I.e., you > cannot express that you are requesting either AC-1 or AC-2 (exactly) > in your schema. > the 'all' on the outermost <RequestedAuthnContexts> in the example requires you to satisfy both. We don't have an 'either' but neither does core SAML. > - Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-302-1428 aim:PaulMdsn5 web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]