OASIS Security Services TC
Hal Lockhart, BEA Systems, Inc
Prateek Mishra, Oracle
Paul Madsen (email@example.com), NTT
Ashish Patel (firstname.lastname@example.org), France Telecom
This specification defines a protocol extension to SAML 2.0 specification that facilitates a more flexible model for expressing Authentication Context than that currently supported. The extension allows service providers to express combinations of Authentication Context classes in their requests for authentication assertions. The expectation is that the extension, when its additional functionality was necessary, would be used in replacement of the existing Authentication Context mechanisms in the authentication request message. Readers should be familiar with before reading this document.
This is a Committee Draft approved by the Security Services Technical Committee on 11 September 2006.
Committee members should submit comments and potential errata to the email@example.com list. Others should submit them by filling out the web form located at http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=security.
For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights web page for the Security Services TC (http://www.oasis-open.org/committees/security/ipr.php).
1 Introduction 3
1.1 Notation 3
2 SAML Protocol Extension for Requested Authentication Context 4
2.1 Element <rac:RequestedACCombination> 4
2.1.1 RACComparison attribute 5
2.2 Example 5
2.3 Processing Rules 6
2.4 Metadata Considerations 6
2.4.1 Metadata Example 7
3 References 8
3.1 Normative References 8
Appendix A. Acknowledgements 9
Appendix B. Notices 10
SAML protocol extensions consist of elements defined for inclusion in the <samlp:Extensions> element that modify the behavior of SAML requesters and responders when processing such extended messages.
This specification defines an extension to the SAML 2.0 protocol specification that can be optionally used to replace the existing mechanisms for Authentication Context #saml_ac in authentication requests. The extension provides a more flexible structure for expressing combinations of Authentication Context classes than do existing mechanisms.
This specification uses normative text.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in :
…they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)…
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example:
This is the SAML V2.0 assertion namespace SAMLCore.
This is the SAML V2.0 protocol namespace SAMLCore
This is the SAML V2.0 metadata namespace . SAMLMeta
This is the SAML V2.0 protocol extension namespace, defined by this document and its accompanying schema RAC-XSD
This namespace is defined in the W3C XML Schema specification Schema1 . In schema listings, this is the default namespace and no prefix is shown.
This specification uses the following typographical conventions in text: <SAMLElement>, <ns:ForeignElement>, Attribute, Datatype, OtherCode.
This specification defines an extension to the SAML 2.0 protocol specification that can be optionally used to replace the existing mechanisms within requests for Authentication Context SAMLAC with a more flexible structure for expressing combinations of Authentication Context classes.
Existing structures for indicating authentication context in authentication request messages are limited in their ability to express combinations of authentication contexts – the assumption is that the full context can be expressed through a single declaration, declaration reference, or a class reference. Consequently, were an SP or IDP to wish to express such a logical combination (or the SSTC to define classes to enable this), it would necessarily imply the creation of a new class URI to represent such a combination.
As a concrete example, certain telco use cases demand the ability for IDPs and SPs to distinguish between whether a principal is authenticated with a credential that is known to be shared amongst a group (e.g. a home phone or an internet kiosk) or unique to that principal. Because no existing SAML AC classes support this distinction (nor the schema as it stands), to allow an SP to make this distinction in its <AuthnRequest> implies that new AC classes would need to be defined to add the shared/unique distinction to each (relevant) existing AC class. For just this single initially onforseen aspect of authentication context, we face the possibility of a combinatorial explosion of AC class URIs. Should other such aspects emerge in the future, the problem would be exacerbated.
More scaleable would be to allow the SP to compose its Authentication Context requirements through the listing of multiple AC classes, and to allow the SP to control how those multiple classes are to be logically combined. Unfortunately, the existing <saml:RequestedAuthnContext> mechanism does not provide this flexibility.
This extension is intended to override existing mechanisms for requesting authentication contexts with a more flexible model – thereby meeting the immediate requirements of the above telco use cases, as well as providing a scaleable solution for dealing with similar currently unforeseen AC aspects should they arise.
Unless specifically noted, nothing in this document should be taken to conflict with the SAML 2.0 protocol specification SAMLCore. Readers are advised to familiarize themselves with that specification first.
The <rac:RequestedACCombination> element is used to carry the individual requested Authentication Contexts and to specify the logical operator defining how they should be combined.
The following schema fragment defines the <rac:RequestedACCombination> element:
The <rac:RequestedACCombination> element can be nested to allow the SP to define combinations of Authentication Contexts. There SHOULD NOT be more than one level of such nesting.
An SP uses the RACComparison attribute of the <rac:RequestedACCombination> element to specify the logical comparison or combination to be performed on the listed Authentication Context classes by the IDP in order to determine the appropriate combined context for any issued statement.
This specification defines the following value(s) for the RACComparison attribute. Other additional values MAY be defined.
Indicates that the authentication context of any resultant statement MUST satisfy the requirements of all the listed <samlp:RequestedAuthenticationContext> elements. This is the default value.
Indicates that the authentication context of any resultant statement MUST be the exact match of one of the listed AC classes.
Indicates that the authentication context of any resultant statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified
Indicates that the authentication context of any resultant statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
Indicates that the authentication context of any resultant statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
The following is an example of a <rac:RequestedACCombination> element in which the SP is expressing that it desires the resultant <AuthnStatement> to have an Authentication Context that:
represents an authentication event characterized by a mechanism at least as strong as 'password' AND
represents an authentication event characterized by an authentication credential that is not shared by multiple users.
This extension is included in a protocol request message by placing it in the optional <samlp:Extensions> element. Due to existing processing requirements, all extensions are explicitly deemed optional. Therefore, senders SHOULD only include this extension when they can be reasonably confident that the extension will be understood by the recipient.
This extension element MUST NOT be used in conjunction with any protocol message element whose complex type is not derived from the samlp:RequestAbstractType complex types.
A sender MUST NOT include more than one <rac:RequestedACCombination> element in a given request message unless additional elements occur as nested children of the top-most extension,
The <rac:RequestedACCombination> extension element MUST NOT be used in a message in which there exists a <samlp:RequestedAuthnContext> element.
A sender MAY specify the logical combination it desires by providing the appropriate URI in the RACComparison attribute. If not specified, it is logically equivalent to the RACComparision attribute being present with a value of urn:oasis:names:tc:SAML:protocol:ext:rac:all.
If a <AuthnRequest> message's <samlp:Extensions> element contains a <rac:RequestedACCombination> element, then a responder that understands the extension MUST fulfill the request (if it does so at all) by issuing a <Response> containing an assertion with at least one <AuthnStatement> element containing an <AuthnContext> element that satisfies the specified Authentication Context in the <rac:RequestedACCombination> extension.
If the responder is unable to satisfy the specified Authentication Context then the responder MUST return a <Response> message with a second-level <StatusCode> of urn:oasis:names:tc:SAML:2.0:protocol:NoAuthnContext.
SAML metadata MAY be used to indicate support for this protocol extension at particular protocol endpoints, using the extension capabilities of the metadata schema.
Support for this extension is expressed in SAML 2.0 metadata by adding a boolean-typed XML attribute to an element of or derived from the md:EndpointType complex type, indicating that SAML request messages sent to that endpoint MAY include this extension.
The following schema fragment defines the rac:supportsRequestedACComb attribute:
The example below shows a fragmentary <md:SingleSignOnService> element that advertises support for the <rac:RequestedACCombination> extension. The namespace declaration must be in scope, but the prefix is of course arbitrary.
The following works are referenced in the body of this specification.
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt.
[SAMLAuthnCxt] J. Kemp et al. Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-authn-context-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf.
[SAMLCore] S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-core-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
[SAMLBind] S. Cantor et al. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-bindings-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf.
[SAMLMeta] S. Cantor et al. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-metadata-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf.
[SAMLProf] S. Cantor et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-profiles-2.0-os. See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf.
[Schema1] H. S. Thompson et al. XML Schema Part 1: Structures. World Wide Web Consortium Recommendation, May 2001. See http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/.
[rac-xsd] P. Madsen & A. Patel. SAML Requested Authentication Context protocol extension schema. OASIS SSTC, September 2006. Document ID sstc-saml-protocol-ext-rac.xsd. See http://www.oasis-open.org/committees/security/.
The editors would like to acknowledge the contributions of the OASIS Security Services Technical Committee, whose voting members at the time of publication were:
Hal Lockhart, BEA Systems, Inc.
Steve Anderson, BMC Software
Thomas Wisniewski, Entrust
Ashish Patel, France Telecom
Greg Whitehead, Hewlett-Packard
Heather Hinton, IBM
Anthony Nadalin, IBM
Eric Tiffany, IEEE Industry Standards and Technology Org (IEEE-ISTO)
Scott Cantor, Internet2
Bob Morgan, Internet2
Tom Scavo, National Center for Supercomputing Applications (NCSA)
Peter Davis, Neustar, Inc.
Jeff Hodges, Neustar, Inc.
Frederick Hirsch, Nokia Corporation
Abbie Barbir, Nortel Networks Limited
Paul Madsen, NTT Corporation
Ari Kermaier, Oracle Corporation
Prateek Mishra, Oracle Corporation
John Hughes, PA Consulting
Brian Campbell, Ping Identity Corporation
Rob Philpott, RSA Security
Jahan Moreh, Sigaba Corp.
Bhavna Bhatnagar, Sun Microsystems
Eve Maler, Sun Microsystems
Emily Xu, Sun Microsystems
David Staggs, Veterans Health Administration
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
Copyright © OASIS Open 2006. All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.