SAML 2.0 Shared Credentials Authentication Context Extension and Related Classes
Committee Draft 03, 11 September 2006
Document identifier:
draft-sstc-saml-context-ext-sc-cd-03
Location:
http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
Technical Committee:
OASIS Security Services TC
Chair(s):
Hal Lockhart, BEA Systems, Inc
Prateek Mishra, Oracle
Editors:
Paul Madsen (paul.madsen@ntt-at.com), NTT
Ashish Patel (ashish.patel@rd.francetelecom.com), France Telecom
Abstract:
This specification defines an authentication context extension to the SAML 2.0 Authentication Context specification SAMLAC that allows providers to distinguish whether or not the credential by which a principal authenticates to the identity provider is known to be shared amongst a group of users or unique to that user. Two new Authentication Context classes and associated schemas are also introduced to distinguish between these two cases.
Readers should be familiar with SAMLAC before reading this document.
Status
This is a Committee Draft approved by the Security Services Technical Committee on 11 September 2006.
Committee members should submit comments and potential errata to the security-services@lists.oasis-open.org list. Others should submit them by filling out the web form located at http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=security.
For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights web page for the Security Services TC (http://www.oasis-open.org/committees/security/ipr.php).
Table of Contents
1 Introduction 3
1.1 Notation 3
2 Shared Credential SAML Authentication Context Extension 5
2.1 Element <sc:SharedCredential> 5
2.2 Example 5
2.3 Processing Rules 6
3 Authentication Context Shared Credential Classes 7
3.1.1 Shared Credential 7
3.1.2 Unique Credential 8
4 References 10
4.1 Normative References 10
Appendix A. Acknowledgements 11
Appendix B. Notices 12
The SAML Authentication Context schema SAMLAC Schema provides extension points through the <Extension> element so that elements in non-SAML namespaces can be added to declarations and class definitions.
This specification defines an extension to the SAML 2.0 Authentication Context core schema specification that can be optionally used to distinguish whether the credential used by a principal to authenticate is known to be shared with other principals – an important aspect of authentication in many telco use cases.
To simplify how providers describe this aspect of authentication context, this specification also introduces two new Authentication Context classes that differ only in this aspect.
This specification uses normative text.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in :
…they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)…
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
Listings of XML schemas appear like this.
Example code listings appear like this.
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example:
Prefix |
XML Namespace |
Comments |
---|---|---|
saml: |
urn:oasis:names:tc:SAML:2.0:assertion |
This is the SAML V2.0 assertion namespace SAMLCore |
samlp: |
urn:oasis:names:tc:SAML:2.0:protocol |
This is the SAML V2.0 protocol namespace SAMLCore |
md: |
urn:oasis:names:tc:SAML:2.0:metadata |
This is the SAML V2.0 metadata namespace SAMLMeta |
sc: |
urn:oasis:names:tc:SAML:context:ext:sc |
This is the shared credential authentication context extension namespace developed herein. SC-XSD |
xsd: |
http://www.w3.org/2001/XMLSchema |
This namespace is defined in the W3C XML Schema specification Schema1 In schema listings, this is the default namespace and no prefix is shown. |
This specification uses the following typographical conventions in text: <SAMLElement>, <ns:ForeignElement>, Attribute, Datatype, OtherCode.
Certain telco use cases demand the ability for IDPs and SPs to distinguish between whether a principal is authenticated with a credential that is known to be shared amongst a group (e.g. a home phone or an internet kiosk) or unique to that principal. The existing SAML AC core schema does not explicitly support this aspect of authentication.
This section defines an extension to the SAML 2.0 authentication context schema that can be optionally used to express this aspect of authentication context. The extension may optionally appear within the <ac:PrincipalAuthenticationMechanism> element to either further qualify the specific authentication mechanism (e.g. Password, Token, Smartcard, etc) used by the principal or on its own.
The <sc:SharedCredential> element is used to distinguish between the two cases of a credential used to authenticate known to be shared amongst a group of users or not.
The following schema fragment defines the <sc:SharedCredential> element:
<element name="SharedCredential" type="SharedCredentialType"/>
<xs:annotation>
<xs:documentation> The SharedCredential Extension MUST NOT occur any other place than in the Extension element of the PrincipalAuthenticationMechanism element within an Authentication Context declaration. A value of '0' for the extensions content indicates that the credential by which a user authenticated was not shared, a value of '1' that the credential was shared
</xs:documentation>
<complexType name="SharedCredentialType">
<SimpleContent>
<extension base="xs:boolean"/>
</SimpleContent>
</complexType>
The following is an example of an Authentication Context declaration in which the identity provider is, in addition to the other aspects of the context, indicating that the principal authenticated with a credential that the identity provider knew to be shared.
<ac:AuthnContextDeclaration>
<ac:Identification/>
<ac:TechnicalProtection/>
<ac:OperationalProtection/>
<ac:AuthnMethod>
<ac:PrincipalAuthenticationMechanism>
<ac:Extension>
<sc:SharedCredential>1</sc:SharedCredential>
</ac:Extension>
</ac:PrincipalAuthenticationMechanism>
<ac:Authenticator>
<ac:SubscriberLineNumber/>
</ac:Authenticator>
<ac:AuthenticatorTransportProtocol/>
</ac:AuthnMethod>
</ac:AuthnContextDeclaration>
To differentiate whether or not the principal authenticated with a credential known to be shared, the identity provider MAY insert the <sc:SharedCredential> extension element in an <ac:Extension> element within the <ac:PrincipalAuthenticationMechanism> in an authentication context declaration.
There MUST be at most one <sc:SharedCredential> extension element within an authentication context declaration.
A <sc:SharedCredential> element MUST NOT appear in any other <ac:Extension> element within an authentication context declaration.
The following two Authentication Context classes are defined to represent the two different possibilities for the SharedCredential extension.
URI: urn:oasis:names:tc:SAML:2.0:ac:ext:classes:sc:shared
This URI reflects that the credential used to authenticate is known to be shared amongst two or more users.
This class can be composed with other authentication context class URIs.
<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:ext:classes:sc:shared" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:ext:classes:sc:shared" finalDefault="extension" blockDefault="substitution" version="2.0"> <xs:redefine schemaLocation=" sstc-saml-context-ext-sc.xsd"> <xs:annotation> <xs:documentation> This class is defined by a fixed value of '1' for the SharedCredential extension, indicating that the credential was shared </xs:documentation> </xs:annotation> <complexType name="SharedCredentialType"> <complexContent> <restriction base="SharedCredentialType"> <simpleContent> <extension base="xs:boolean" fixed="1"/> </simpleContent> </restriction> </complexContent> </complexType> </redefine> <redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd"> <xs:annotation> <xs:documentation>There MUST be an Extension element in the PrincipalAuthenticationMechanism </xs:documentation> </xs:annotation> <xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Extension" minOccurs="1"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> </redefine> </schema>
URI: urn:oasis:names:tc:SAML:2.0:ac:ext:classes:sc:unique
This URI reflects that the credential used to authenticate is known to be unique (or at least not known to be shared) to the authenticating user..
This class can be composed with other authentication context class URIs.
<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:ext:sc:unique" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:ext:sc:unique" finalDefault="extension" blockDefault="substitution" version="2.0"> <redefine schemaLocation="sstc-saml-context-ext-sc.xsd"> <xs:annotation> <xs:documentation>This class is defined by a fixed value of '0' for the SharedCredential extension, indicating that the credential was uniquely held. </xs:documentation> </xs:annotation> <complexType name="SharedCredentialType"> <complexContent> <restriction base="SharedCredentialType"> <simpleContent> <extension base="xs:boolean" fixed="0"/> </simpleContent> </restriction> </complexContent> </complexType> </redefine> <redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd"> <xs:annotation> <xs:documentation>There MUST be an Extension element in the PrincipalAuthenticationMechanism </xs:documentation> </xs:annotation> <xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Extension" minOccurs="1"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> </redefine> </schema>
The following works are referenced in the body of this specification.
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt.
[SAMLAuthnCxt] J. Kemp et al. Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-authn-context-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf.
[SAMLAC-schema] J. Kemp et al. SAML authentication context schema.OASIS SSTC, March 2005. Document ID saml-authn-context-2.0-os.
[SAMLCore] S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-core-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
[SAMLBind] S. Cantor et al. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-bindings-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf.
[SAMLMeta] S. Cantor et al. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-metadata-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf.
[SAMLProf] S. Cantor et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-profiles-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf.
[Schema1] H. S. Thompson et al. XML Schema Part 1: Structures. World Wide Web Consortium Recommendation, May 2001. See http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/.
[sc-xsd] P. Madsen & A. Patel. SAML Shared Credential Authentication Context extension schema. OASIS SSTC, September 2006. Document ID sstc-saml-context-ext-sc.xsd. See http://www.oasis-open.org/committees/security/.
The editors would like to acknowledge the contributions of the OASIS Security Services Technical Committee, whose voting members at the time of publication were:
Hal Lockhart, BEA Systems, Inc.
Steve Anderson, BMC Software
Thomas Wisniewski, Entrust
Ashish Patel, France Telecom
Greg Whitehead, Hewlett-Packard
Heather Hinton, IBM
Anthony Nadalin, IBM
Eric Tiffany, IEEE Industry Standards and Technology Org (IEEE-ISTO)
Scott Cantor, Internet2
Bob Morgan, Internet2
Tom Scavo, National Center for Supercomputing Applications (NCSA)
Peter Davis, Neustar, Inc.
Jeff Hodges, Neustar, Inc.
Frederick Hirsch, Nokia Corporation
Abbie Barbir, Nortel Networks Limited
Paul Madsen, NTT Corporation
Ari Kermaier, Oracle Corporation
Prateek Mishra, Oracle Corporation
John Hughes, PA Consulting
Brian Campbell, Ping Identity Corporation
Rob Philpott, RSA Security
Jahan Moreh, Sigaba Corp.
Bhavna Bhatnagar, Sun Microsystems
Eve Maler, Sun Microsystems
Emily Xu, Sun Microsystems
David Staggs, Veterans Health Administration
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
Copyright © OASIS Open 2006. All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
draft-sstc-saml-context-ext-sc-cd-03 11
September 2006
Page