Transcription of Authentication Context for the OASIS Security Assertion ...
1 Authentication Context for the OASISS ecurity Assertion Markup Language(SAML) Standard, 15 March 2005 Document : :John Kemp, NokiaScott Cantor, Internet2 Prateek Mishra, Principal IdentityRob Philpott, RSA SecurityEve Maler, Sun MicrosystemsSAML Contributors:Conor P. Cahill, AOLJohn hughes , Atos OriginHal Lockhart, BEA SystemsMichael Beach, Boeing Rebekah Metz, Booz Allen HamiltonRick Randall, Booz Allen HamiltonThomas Wisniewski, EntrustIrving Reid, Hewlett-PackardPaula Austel, IBMM aryann Hondo, IBMM ichael McIntosh, IBMTony Nadalin, IBMNick Ragouzis, Individual Scott Cantor, Internet2 RL 'Bob' Morgan, Internet2 Peter C Davis, NeustarJeff Hodges, NeustarFrederick Hirsch, Nokia John Kemp, NokiaPaul Madsen, NTTS teve Anderson, OpenNetworkPrateek Mishra, Principal IdentityJohn Linn.
2 RSA SecurityRob Philpott, RSA SecurityJahan Moreh, SigabaAnne Anderson, Sun MicrosystemsEve Maler, Sun MicrosystemsRon Monzillo, Sun March 2005 Copyright OASIS Open 2005. All Rights 1 of 7012345678910111213141516171819202122232 4252627282930313233343536373839404142434 4 Greg Whitehead, TrustgenixAbstract:This specification defines a syntax for the definition of Authentication Context declarations and aninitial list of Authentication Context classes for use with :This is an OASIS Standard document produced by the Security Services Technical Committee.
3 Itwas approved by the OASIS membership on 1 March members should submit comments and potential errata to the list. Others should submit them by filling out the web form locatedat Thecommittee will publish on its web page ( ) a catalogof any changes made to this information on whether any patents have been disclosed that may be essential toimplementing this specification, and any offers of patent licensing terms, please refer to theIntellectual Property Rights web page for the Security Services TC ( ). March 2005 Copyright OASIS Open 2005.
4 All Rights 2 of 7045464748495051525354555657585960 Table of Contents1 Authentication Context Notation and Authentication Context Data Processing Authentication Context Advantages of Authentication Context Processing Internet Public Key Public Key Public Key Public Key - XML Digital Telephony ("Nomadic").. Telephony (Personalized).. Telephony (Authenticated).. Secure Remote SSL/TLS Certificate-Based Client A. B. March 2005 Copyright OASIS Open 2005. All Rights 3 of 7061626364656667686970717273747576777879 8081828384858687888990919293949596979899 1001011021031 IntroductionThis specification defines a syntax for the definition of Authentication Context declarations and an initial listof Authentication Context Authentication Context ConceptsIf a relying party is to rely on the Authentication of a principal by an Authentication authority, the relyingparty may require information additional to the Assertion itself in order to assess the level of confidencethey can place in that Assertion .
5 This specification defines an XML Schema for the creation ofAuthentication Context declarations - XML documents that allow the Authentication authority to provide tothe relying party this additional information. Additionally, this specification defines a number ofAuthentication Context classes; categories into which many Authentication Context declarations will fall,thereby simplifying their OASIS Security Assertion Markup Language does not prescribe a single technology, protocol, orpolicy for the processes by which Authentication authorities issue identities to principals and by whichthose principals subsequently authenticate themselves to the Authentication authority.
6 Differentauthentication authorities will choose different technologies, follow different processes, and be bound bydifferent legal obligations with respect to how they authenticate choices that an Authentication authority makes here will be driven in large part by the requirements ofthe relying parties with which the Authentication authority interacts. These requirements themselves will bedetermined by the nature of the service (that is, the sensitivity of any information exchanged, theassociated financial value, the relying parties' risk tolerance, etc.)
7 That the relying party will be providing tothe principal. Consequently, for anything other than trivial services, if the relying party is to place sufficient confidence inthe Authentication assertions it receives from an Authentication authority, it will be necessary for it to knowwhich technologies, protocols, and processes were used or followed for the original authenticationmechanism on which the Authentication Assertion is based. Armed with this information and trusting theorigin of the actual Assertion , the relying party will be better able to make an informed entitlementsdecision regarding what services the subject of the Authentication Assertion should be allowed to Context is defined as the information, additional to the Authentication Assertion itself, thatthe relying party may require before it makes an entitlements decision with respect to an authenticationassertion.
8 Such Context may include, but is not limited to, the actual Authentication method used (see theSAML assertions and protocols specification [SAMLCore] for more information). Notation and TerminologyThe keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted asdescribed in IETF RFC 2119 [RFC 2119].Listings of XML schemas appear like code listings appear like specification uses schema documents conforming to W3C XML Schema [Schema1] and normativetext to describe the syntax and semantics of XML-encoded SAML assertions and protocol messages.
9 Incases of disagreement between the SAML Authentication Context schema documents and schema listingsin this specification, the schema documents take precedence. Note that in some cases the normative textof this specification imposes constraints beyond those indicated by the schema XML namespace prefixes are used throughout the listings in this specification to stand March 2005 Copyright OASIS Open 2005. All Rights 4 of 7010410510610710810911011111211311411511 6117118119120121122123124125126127128129 1301311321331341351361371381391401411421 43144145146147their respective namespaces as follows, whether or not a namespace declaration is present in theexample:PrefixXML NamespaceCommentsac:urn: OASIS :names:tc: :acThis is the namespace defined in this specificationand in a schema [SAMLAC-xsd].
10 Xs: namespace is defined in the W3C XML Schemaspecification [Schema1]. This specification uses the following typographical conventions in text: <SAMLE lement>,<ns:ForeignElement>, XMLA ttribute, Datatype, March 2005 Copyright OASIS Open 2005. All Rights 5 of 701491501511521532 Authentication Context DeclarationIf a relying party is to rely on the Authentication of another entity by an Authentication authority, the relyingparty may require information additional to the Authentication itself to allow it to put the Authentication intoa risk-management Context .
