diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7773.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7773.txt')
-rw-r--r-- | doc/rfc/rfc7773.txt | 899 |
1 files changed, 899 insertions, 0 deletions
diff --git a/doc/rfc/rfc7773.txt b/doc/rfc/rfc7773.txt new file mode 100644 index 0000000..fc961c1 --- /dev/null +++ b/doc/rfc/rfc7773.txt @@ -0,0 +1,899 @@ + + + + + + +Internet Engineering Task Force (IETF) S. Santesson +Request for Comments: 7773 3xA Security +Category: Standards Track March 2016 +ISSN: 2070-1721 + + + Authentication Context Certificate Extension + +Abstract + + This document defines an extension to X.509 certificates. The + extension defined in this document holds data about how the + certificate subject was authenticated by the Certification Authority + that issued the certificate in which this extension appears. + + This document also defines one data structure for inclusion in this + extension. The data structure is designed to hold information when + the subject is authenticated using a Security Assertion Markup + Language (SAML) assertion. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7773. + +Copyright Notice + + Copyright (c) 2016 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + +Santesson Standards Track [Page 1] + +RFC 7773 Authentication Context Extension March 2016 + + +Table of Contents + + 1. Introduction ....................................................2 + 1.1. Terminology ................................................3 + 2. Authentication Context Extension Syntax .........................4 + 3. SAML Authentication Context Information .........................4 + 3.1. contextInfo Data Structure .................................5 + 3.1.1. AuthContextInfo Element .............................5 + 3.1.2. IdAttributes Element ................................6 + 4. Security Considerations .........................................8 + 5. Normative References ............................................8 + Appendix A. ASN.1 Modules .........................................10 + A.1. ASN.1 1988 Syntax .........................................10 + A.2. ASN.1 2008 Syntax .........................................11 + Appendix B. SAML Authentication Context Info XML Schema ...........12 + B.1. XML Schema ................................................12 + Appendix C. SAML Authentication Context Info XML Examples .........14 + C.1. Complete Context Information and Mappings .................14 + C.2. Only Mapping Information without SAML Attribute Values ....15 + C.3. Authentication Context and serialNumber Mapping ...........16 + Author's Address ..................................................16 + +1. Introduction + + The primary purpose of this document is to provide a mechanism that + allows an application to obtain information that expresses the + identity of a subject in an X.509 certificate according to [RFC5280]. + The identity is stored either in a subject field attribute, as a + subject alternative name, or in a subject directory attribute. + + The motivation for this work is to enable mapping of identity data + between an identity system and a certificate where the identity + system and the certificate are using different attributes and data + formats to express the identity of the same entity. In such a + scenario, the certificate subject already has an authenticated + identity composed of a set of attributes, or so-called claims, that + differ from the set of attributes that are commonly used to express + the identity of a certificate subject and that may be governed by a + specific certificate profile limiting that set. + + A typical scenario motivating the definition of this extension arises + when the source of user authentication and user identity is derived + from a SAML [SAML] federation attribute profile. In a SAML + federation, the subject presents a SAML assertion in exchange for a + certificate that can be uniquely linked to information provided in + the original SAML assertion, e.g., attributes and/or level of + assurance indicators. + + + + +Santesson Standards Track [Page 2] + +RFC 7773 Authentication Context Extension March 2016 + + + Such certificates are sometimes issued in order to provide the user + with a means to create an electronic signature that ties the user to + the SAML subject, its attributes, and level of assurance indicators. + + If such a certificate needs to conform to a certificate profile such + as [RFC3739], then this certificate may have to use a separate set of + attributes to express the subject identity. The certificate also may + have to employ a format for attribute values that is different from + the set of attributes obtained from the SAML assertion. + + The extension defined in the document makes it possible to represent + information about the authentication context employed when + authenticating the subject for the purpose of issuing a certificate. + This may include information such as: + + o the Identity Provider that authenticated the subject + o the level of assurance with which the subject was authenticated + o the trust framework where this level of assurance was defined + o a unique reference to the authentication instant + o a mapping between the subject attributes (obtained from the + SAML assertion used to authenticate the subject) and the + subject identity information placed in the issued certificate. + + One scenario where this information may be useful arises when a user + logs in to a service using SAML credentials, and the same user (at + some point) is required to sign some information. The service may + need to verify that the signature was created by the same user that + logged on to the service. Today this is only possible using out-of- + band knowledge about the Certification Authority (CA) that issued the + certificate and its practices. However, this approach does not scale + to a large number of service providers, identity providers, and CAs. + + The extension defined here provides better scalability since it + requires only the service provider to maintain a list of trusted CAs. + All other information about the relationship between the certificate + subject and the SAML authenticated subject is available in the + certificate. + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + + + + + + + +Santesson Standards Track [Page 3] + +RFC 7773 Authentication Context Extension March 2016 + + +2. Authentication Context Extension Syntax + + The Authentication Context extension has the following syntax: + + AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF + AuthenticationContext + + AuthenticationContext ::= SEQUENCE { + contextType UTF8String, + contextInfo UTF8String OPTIONAL + } + + This extension holds a sequence of AuthenticationContext information. + When present, this extension MUST include at least one + AuthenticationContext. + + The type of authentication context defined in AuthenticationContext + is identified by the contextType. The contextType MUST contain a URI + that identifies the context type as well as the data format and + encoding of context information provided in contextInfo. + + This extension MAY be marked critical. + + Applications that find an authentication context information type + they do not understand MUST ignore it if the extension is non- + critical and MUST reject the certificate if the extension is marked + critical. If an application requires that an authentication context + exist, and either the extension is absent or none of the provided + authentication contexts can be used, the end-user certificate fails + validation. + + This document defines one authentication context information type + (Section 3) that is used to provide information about SAML-based + authentication of the subject that was utilized in the certificate + issuance process. Other documents can define other authentication + context information types. + +3. SAML Authentication Context Information + + The SAML Authentication context information provides a contextType + field that can be used to carry information about SAML-based + authentication of the certified subject as utilized in the + certificate issuance process. + + + + + + + + +Santesson Standards Track [Page 4] + +RFC 7773 Authentication Context Extension March 2016 + + + The data carried in this authentication context information field is + identified by the following XML schema ([Schema1] [Schema2]) name + space: + + http://id.elegnamnden.se/auth-cont/1.0/saci + + When this URI is specified as contextType, the associated XML data + provided in contextInfo MUST be provided in the form of an XML + document [XML], represented by a string of UTF-8-encoded characters. + + The XML document SHOULD exclude any unnecessary line breaks and white + space, such as line indentation, to reduce its size as much as + possible. + +3.1. contextInfo Data Structure + + The data provided in contextInfo SHALL contain XML that is UTF-8 + encoded in accordance with the XML schema provided in Appendix B. + The XML document string in contextInfo MUST NOT include an XML + header. That is, the XML document string contains only the root + element <SAMLAuthContext> with its child elements <AuthContextInfo> + and <IdAttributes>. + + The <AuthContextInfo> and <IdAttributes> elements are outlined in the + following subsections. + +3.1.1. AuthContextInfo Element + + The <AuthContextInfo> element MAY be present. This element contains + the following attributes: + + IdentityProvider (required): The SAML EntityID of the Identity + Provider that authenticated the subject. + + AuthenticationInstant (required): Date and time when the subject + was authenticated, expressed according to Appendix B.1. + + AuthnContextClassRef (required): A URI identifying the + AuthnContextClassRef that is provided in the AuthnStatement of + the Assertion that was used to authenticate the subject. This + URI identifies the context and the level of assurance + associated with this instance of authentication. + + AssertionRef (optional): A unique reference to the SAML assertion. + + ServiceID (optional): An identifier of the service that verified + the SAML assertion. + + + + +Santesson Standards Track [Page 5] + +RFC 7773 Authentication Context Extension March 2016 + + + The <AuthContextInfo> element may hold any number of child elements + of type any (processContents="lax"), providing additional information + according to local conventions. Any such elements SHOULD be ignored + if not understood. + +3.1.2. IdAttributes Element + + The <IdAttributes> element MAY be present. This element holds a + sequence of one or more <AttributeMapping> elements, where each + <AttributeMapping> element contains mapping information about one + certificate subject attribute or name form present in the + certificate. + + Each <AttributeMapping> element MUST specify the following + attributes: + + Type: A string containing one of the enumerated values "rdn", + "san", or "sda", specifying the type of certificate + attribute or name form for which mapping information is + provided: + + "rdn": Mapping information is provided for an attribute in + a Relative Distinguished Name located in the + subject field. + "san": Mapping information is provided for a name in the + Subject Alternative Name extension of the + certificate. + "sda": Mapping information is provided for an attribute in + the Subject Directory Attributes extension. + + Ref: A reference to the specific attribute or name field. This + reference is dependent on the value of Type in the following + way: + + "rdn": Ref holds a string representation of the object + identifier (OID) of the relative distinguished name + attribute. + "san": Ref holds a string representation of the explicit + tag number of the Subject Alternative Name type + (e.g., "1" = email address (rfc822Name) and "2" = + dNSName). If the SubjectAlternative name is an + otherName, then Ref holds a string representation + of the OID defining the otherName form. + "sda": Ref holds a string representation of the OID of the + subject directory attribute attribute. + + + + + + +Santesson Standards Track [Page 6] + +RFC 7773 Authentication Context Extension March 2016 + + + String representations of object identifiers (OID) in the + Ref attribute MUST be represented by a sequence of integers + separated by a period, e.g., "2.5.4.32". This string + contains only numerals (ASCII 0x30 to 0x39) and periods + (ASCII 0x2E), and it MUST NOT contain any other characters. + + Each <AttributeMapping> element MUST contain a <saml:Attribute> + element as defined in [SAML]. This SAML attribute element MUST have + a Name attribute (specifying its type), MAY have other attributes, + and MAY have zero or more <saml:AttributeValue> child elements. A + present SAML attribute with absent attribute value limits mapping to + the type of SAML attribute that was used to obtain the value stored + in the referenced certificate subject attribute or name form, without + duplicating the actual attribute value. + + If an attribute value is present in the SAML attribute, then the + value stored in the certificate in the referenced attribute or name + form MAY differ in format and encoding from the present SAML + attribute value. For example, a SAML attribute value can specify a + country expressed as "Sweden", while this country value is stored in + the certificate in a countryName attribute using the two letter + country code "SE". + + Several <AttributeMapping> elements MAY be present for the same + certificate subject attribute or name form if the certificate + contains multiple instances of this attribute or name form where + their values were obtained from different SAML attributes. However, + in such cases, it is not defined which present subject attribute or + name form maps to which SAML attribute. A certificate-using + application MAY attempt to determine this by comparing attribute + values stored in this extension with attribute or name values present + in the certificate, but this specification does not define any + explicit matching rules that would guarantee an unambiguous result. + + The <AttributeMapping> element may hold any number of child elements + of type any (processContents="lax"), providing additional information + according to local conventions. Any such elements MAY be ignored if + not understood. + + Note: The <AttributeMapping> element is designed to provide mapping + between SAML attributes and certificate subject attributes and + name forms where there is a distinct and clear relationship + between relevant SAML attributes and corresponding certificate + attributes and name forms. This does not cover all aspects of + complex mapping situations. If more than one SAML attribute + maps to the same certificate attribute or if structured + multivalued attributes are split into a range of other + attributes and name forms, these situations are not covered. + + + +Santesson Standards Track [Page 7] + +RFC 7773 Authentication Context Extension March 2016 + + + Such complex mapping situations MAY be covered by extending + this XML schema or by defining a more versatile context + information schema. + +4. Security Considerations + + This extension allows a CA to outsource the process used to identify + and authenticate a subject to another trust infrastructure in a + dynamic manner that may differ from certificate to certificate. + Since the authentication context is explicitly declared in the + certificate, one certificate may be issued with a lower level of + assurance than another, even though both have the same Issuer. + + This means that a relying party needs to be aware of the certificate + policy under which this CA operates in order to understand when the + certificate provides a level of assurance with regard to subject + authentication that is higher than the lowest provided level. A + relying party that is not capable of understanding the information in + the authentication context extension MUST assume that the certificate + is issued using the lowest allowed level of assurance declared by the + policy. + +5. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <http://www.rfc-editor.org/info/rfc2119>. + + [RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 + Public Key Infrastructure: Qualified Certificates + Profile", RFC 3739, DOI 10.17487/RFC3739, March 2004, + <http://www.rfc-editor.org/info/rfc3739>. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, + <http://www.rfc-editor.org/info/rfc5280>. + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, + DOI 10.17487/RFC5912, June 2010, + <http://www.rfc-editor.org/info/rfc5912>. + + + + + + + +Santesson Standards Track [Page 8] + +RFC 7773 Authentication Context Extension March 2016 + + + [SAML] Cantor, S., Kemp, J., Philpott, R., and E. Maler, + "Assertions and Protocols for the OASIS Security Assertion + Markup Language (SAML) V2.0", OASIS Standard, 15 March + 2005. + + [XML] Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and + F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth + Edition)", W3C Recommendation, 26 November 2008, + <https://www.w3.org/TR/2008/REC-xml-20081126/>. + + [Schema1] Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, + "XML Schema Part 1: Structures", W3C Recommendation, + 28 October 2004, + <http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>. + + [Schema2] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes", + W3C Recommendation, 28 October 2004, + <http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Santesson Standards Track [Page 9] + +RFC 7773 Authentication Context Extension March 2016 + + +Appendix A. ASN.1 Modules + + This appendix includes the ASN.1 modules for the authentication + context extension. Appendix B.1 includes an ASN.1 module that + conforms to the 1998 version of ASN.1. Appendix B.2 includes an + ASN.1 module, corresponding to the module present in Appendix B.1, + that conforms to the 2008 version of ASN.1. Although a 2008 ASN.1 + module is provided, the module in Appendix B.1 remains the normative + module as per policy adopted by the PKIX working group for + certificate-related specifications. + +A.1. ASN.1 1988 Syntax + + ACE-88 + {iso(1) member-body(2) se(752) e-legnamnden(201) + id-mod(0) id-mod-auth-context-88(1)} + + DEFINITIONS EXPLICIT TAGS ::= + + BEGIN + + -- EXPORTS ALL -- + + -- Authentication Context Extension + + AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF + AuthenticationContext + + AuthenticationContext ::= SEQUENCE { + contextType UTF8String, + contextInfo UTF8String OPTIONAL + } + + e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2) + se(752) 201 } + id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 } + id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 } + + END + + + + + + + + + + + + +Santesson Standards Track [Page 10] + +RFC 7773 Authentication Context Extension March 2016 + + +A.2. ASN.1 2008 Syntax + + ACE-08 + {iso(1) member-body(2) se(752) e-legnamnden(201) + id-mod(0) id-mod-auth-context-08(2)} + + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + IMPORTS + + Extensions{}, EXTENSION + FROM PKIX-CommonTypes-2009 -- From [RFC5912] + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}; + + -- Authentication Context Extension + + ext-AuthenticationContext EXTENSION ::= { SYNTAX + AuthenticationContexts IDENTIFIED BY + id-ce-authContext } + + AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF + AuthenticationContext + + AuthenticationContext ::= SEQUENCE { + contextType UTF8String, + contextInfo UTF8String OPTIONAL + } + + ElegnamndenCertExtensions EXTENSION ::= { + ext-AuthenticationContext, ... } + + + + e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2) + se(752) 201 } + id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 } + id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 } + + END + + + + + + + + + + +Santesson Standards Track [Page 11] + +RFC 7773 Authentication Context Extension March 2016 + + +Appendix B. SAML Authentication Context Info XML Schema + + This appendix contains an XML schema ([Schema1] [Schema2]) for the SAML + Authentication context information defined in Section 3. + + IMPORTANT NOTE: The XML Schema in Appendix B.1 specifies a URL on rows + 9 and 10 to the SAML schemaLocation + (http://docs.oasis-open.org/security/saml/v2.0/ + saml-schema-assertion-2.0.xsd), which is too long to + fit into one row and therefore contains a line break. + This line break has to be removed before this schema + can be successfully compiled. + +B.1. XML Schema + + <?xml version="1.0" encoding="UTF-8"?> + <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" + elementFormDefault="qualified" + targetNamespace="http://id.elegnamnden.se/auth-cont/1.0/saci" + xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> + + <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion" + schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/ + saml-schema-assertion-2.0.xsd"/> + + <xs:element name="SAMLAuthContext" + type="saci:SAMLAuthContextType"/> + <xs:complexType name="SAMLAuthContextType"> + <xs:sequence> + <xs:element ref="saci:AuthContextInfo" minOccurs="0"/> + <xs:element ref="saci:IdAttributes" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + <xs:element name="AuthContextInfo" + type="saci:AuthContextInfoType"/> + <xs:complexType name="AuthContextInfoType"> + <xs:sequence> + <xs:any processContents="lax" + minOccurs="0" maxOccurs="unbounded"/> + </xs:sequence> + <xs:attribute name="IdentityProvider" + type="xs:string" use="required"/> + <xs:attribute name="AuthenticationInstant" + type="xs:dateTime" use="required"/> + <xs:attribute name="AuthnContextClassRef" + type="xs:anyURI" use="required"/> + <xs:attribute name="AssertionRef" type="xs:string"/> + + + +Santesson Standards Track [Page 12] + +RFC 7773 Authentication Context Extension March 2016 + + + <xs:attribute name="ServiceID" type="xs:string"/> + </xs:complexType> + + <xs:element name="IdAttributes" type="saci:IdAttributesType"/> + <xs:complexType name="IdAttributesType"> + <xs:sequence> + <xs:element maxOccurs="unbounded" minOccurs="1" + ref="saci:AttributeMapping"/> + </xs:sequence> + </xs:complexType> + <xs:element name="AttributeMapping" + type="saci:AttributeMappingType"/> + <xs:complexType name="AttributeMappingType"> + <xs:sequence> + <xs:element ref="saml:Attribute"/> + <xs:any processContents="lax" + minOccurs="0" maxOccurs="unbounded"/> + </xs:sequence> + <xs:attribute name="Type" use="required"> + <xs:simpleType> + <xs:restriction base="xs:string"> + <xs:enumeration value="rdn"/> + <xs:enumeration value="san"/> + <xs:enumeration value="sda"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> + <xs:attribute name="Ref" type="xs:string" use="required"/> + </xs:complexType> + </xs:schema> + + + + + + + + + + + + + + + + + + + + + +Santesson Standards Track [Page 13] + +RFC 7773 Authentication Context Extension March 2016 + + +Appendix C. SAML Authentication Context Info XML Examples + + This appendix provides examples of SAML Authentication Context + information according to the schema in Appendix B. + +C.1. Complete Context Information and Mappings + + The following is a complete example with authentication context + information as well as mapping information for several subject field + attributes and a subject alt name. + +<saci:SAMLAuthContext + xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <saci:AuthContextInfo + ServiceID="eid2csig" + AssertionRef="_71b981ab017eb42869ae4b62b2a63add" + IdentityProvider="https://idp-test.nordu.net/idp/shibboleth" + AuthenticationInstant="2013-03-05T22:59:57.000+01:00" + AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/> + <saci:IdAttributes> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.6"> + <saml:Attribute + FriendlyName="Country" + Name="urn:oid:2.5.4.6"> + <saml:AttributeValue xsi:type="xs:string" + >SE</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.5"> + <saml:Attribute + FriendlyName="Personal ID Number" + Name="urn:oid:1.2.752.29.4.13"> + <saml:AttributeValue xsi:type="xs:string" + >200007292386</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.42"> + <saml:Attribute + FriendlyName="Given Name" + Name="urn:oid:2.5.4.42"> + <saml:AttributeValue xsi:type="xs:string" + >John</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.4"> + <saml:Attribute + + + +Santesson Standards Track [Page 14] + +RFC 7773 Authentication Context Extension March 2016 + + + FriendlyName="Surname" + Name="urn:oid:2.5.4.4"> + <saml:AttributeValue xsi:type="xs:string" + >Doe</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.3"> + <saml:Attribute + FriendlyName="Display Name" + Name="urn:oid:2.16.840.1.113730.3.1.241"> + <saml:AttributeValue xsi:type="xs:string" + >John Doe</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + <saci:AttributeMapping Type="san" Ref="1"> + <saml:Attribute + FriendlyName="E-mail" + Name="urn:oid:0.9.2342.19200300.100.1.3"> + <saml:AttributeValue xsi:type="xs:string" + >john.doe@example.com</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + </saci:IdAttributes> +</saci:SAMLAuthContext> + +C.2. Only Mapping Information without SAML Attribute Values + + This example shows an instance of the SAML Authentication Context + information that only provides a mapping table without providing any + authentication context information or SAML attribute values. + +<saci:SAMLAuthContext + xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> + <saci:IdAttributes> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.6"> + <saml:Attribute Name="urn:oid:2.5.4.6"/> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.5"> + <saml:Attribute Name="urn:oid:1.2.752.29.4.13"/> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.42"> + <saml:Attribute Name="urn:oid:2.5.4.42"/> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.4"> + <saml:Attribute Name="urn:oid:2.5.4.4"/> + </saci:AttributeMapping> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.3"> + + + +Santesson Standards Track [Page 15] + +RFC 7773 Authentication Context Extension March 2016 + + + <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"/> + </saci:AttributeMapping> + <saci:AttributeMapping Type="san" Ref="1"> + <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"/> + </saci:AttributeMapping> + </saci:IdAttributes> +</saci:SAMLAuthContext> + +C.3. Authentication Context and serialNumber Mapping + + This example shows an instance of the SAML Authentication Context + information; it provides authentication context information and + mapping information that specifies the source of the data stored in + the serialNumber attribute in the subject field. + +<saci:SAMLAuthContext + xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <saci:AuthContextInfo + ServiceID="eid2csig" + AssertionRef="_71b981ab017eb42869ae4b62b2a63add" + IdentityProvider="https://idp-test.nordu.net/idp/shibboleth" + AuthenticationInstant="2013-03-05T22:59:57.000+01:00" + AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/> + <saci:IdAttributes> + <saci:AttributeMapping Type="rdn" Ref="2.5.4.5"> + <saml:Attribute + FriendlyName="Personal ID Number" + Name="urn:oid:1.2.752.29.4.13"> + <saml:AttributeValue xsi:type="xs:string" + >200007292386</saml:AttributeValue> + </saml:Attribute> + </saci:AttributeMapping> + </saci:IdAttributes> +</saci:SAMLAuthContext> + +Author's Address + + Stefan Santesson + 3xA Security AB + Scheelev. 17 + 223 70 Lund + Sweden + Email: sts@aaa-sec.com + + + + + + +Santesson Standards Track [Page 16] + |