Authentication Context for the OASIS Security Assertion ... · The OASIS Security Assertion Markup...

70
Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 OASIS Standard, 15 March 2005 Document identifier: saml-authn-context-2.0-os Location: http://docs.oasis-open.org/security/saml/v2.0/ Editors: John Kemp, Nokia Scott Cantor, Internet2 Prateek Mishra, Principal Identity Rob Philpott, RSA Security Eve Maler, Sun Microsystems SAML V2.0 Contributors: Conor P. Cahill, AOL John Hughes, Atos Origin Hal Lockhart, BEA Systems Michael Beach, Boeing Rebekah Metz, Booz Allen Hamilton Rick Randall, Booz Allen Hamilton Thomas Wisniewski, Entrust Irving Reid, Hewlett-Packard Paula Austel, IBM Maryann Hondo, IBM Michael McIntosh, IBM Tony Nadalin, IBM Nick Ragouzis, Individual Scott Cantor, Internet2 RL 'Bob' Morgan, Internet2 Peter C Davis, Neustar Jeff Hodges, Neustar Frederick Hirsch, Nokia John Kemp, Nokia Paul Madsen, NTT Steve Anderson, OpenNetwork Prateek Mishra, Principal Identity John Linn, RSA Security Rob Philpott, RSA Security Jahan Moreh, Sigaba Anne Anderson, Sun Microsystems Eve Maler, Sun Microsystems Ron Monzillo, Sun Microsystems saml-authn-context-2.0-os 15 March 2005 Copyright © OASIS Open 2005. All Rights Reserved. Page 1 of 70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

Transcript of Authentication Context for the OASIS Security Assertion ... · The OASIS Security Assertion Markup...

Authentication Context for the OASISSecurity Assertion Markup Language(SAML) V2.0OASIS Standard, 15 March 2005

Document identifier:saml-authn-context-2.0-os

Location:http://docs.oasis-open.org/security/saml/v2.0/

Editors:John Kemp, NokiaScott Cantor, Internet2Prateek Mishra, Principal IdentityRob Philpott, RSA SecurityEve Maler, Sun Microsystems

SAML V2.0 Contributors:Conor P. Cahill, AOLJohn Hughes, Atos OriginHal Lockhart, BEA SystemsMichael Beach, Boeing Rebekah Metz, Booz Allen HamiltonRick Randall, Booz Allen HamiltonThomas Wisniewski, EntrustIrving Reid, Hewlett-PackardPaula Austel, IBMMaryann Hondo, IBMMichael McIntosh, IBMTony Nadalin, IBMNick Ragouzis, Individual Scott Cantor, Internet2 RL 'Bob' Morgan, Internet2 Peter C Davis, NeustarJeff Hodges, NeustarFrederick Hirsch, Nokia John Kemp, NokiaPaul Madsen, NTTSteve Anderson, OpenNetworkPrateek Mishra, Principal IdentityJohn Linn, RSA SecurityRob Philpott, RSA SecurityJahan Moreh, SigabaAnne Anderson, Sun MicrosystemsEve Maler, Sun MicrosystemsRon Monzillo, Sun Microsystems

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 1 of 70

1

2

3

4

5

67

89

101112131415

1617181920212223242526272829303132333435363738394041424344

Greg Whitehead, Trustgenix

Abstract:This specification defines a syntax for the definition of authentication context declarations and aninitial list of authentication context classes for use with SAML.

Status:This is an OASIS Standard document produced by the Security Services Technical Committee. Itwas approved by the OASIS membership on 1 March 2005.Committee members should submit comments and potential errata to the [email protected] list. Others should submit them by filling out the web form locatedat http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=security. Thecommittee will publish on its web page (http://www.oasis-open.org/committees/security) a catalogof any changes made to this document.For information on whether any patents have been disclosed that may be essential toimplementing this specification, and any offers of patent licensing terms, please refer to theIntellectual Property Rights web page for the Security Services TC (http://www.oasis-open.org/committees/security/ipr.php).

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 2 of 70

45

464748

495051

5253545556

57585960

Table of Contents1 Introduction..................................................................................................................................................4

1.1 Authentication Context Concepts.........................................................................................................41.2 Notation and Terminology....................................................................................................................4

2 Authentication Context Declaration.............................................................................................................62.1 Data Model...........................................................................................................................................62.2 Extensibility..........................................................................................................................................72.3 Processing Rules.................................................................................................................................72.4 Schema................................................................................................................................................7

3 Authentication Context Classes................................................................................................................213.1 Advantages of Authentication Context Classes.................................................................................213.2 Processing Rules...............................................................................................................................213.3 Extensibility........................................................................................................................................223.4 Schemas............................................................................................................................................22

3.4.1 Internet Protocol.........................................................................................................................223.4.2 InternetProtocolPassword..........................................................................................................243.4.3 Kerberos.....................................................................................................................................253.4.4 MobileOneFactorUnregistered...................................................................................................273.4.5 MobileTwoFactorUnregistered...................................................................................................303.4.6 MobileOneFactorContract..........................................................................................................333.4.7 MobileTwoFactorContract..........................................................................................................363.4.8 Password....................................................................................................................................393.4.9 PasswordProtectedTransport.....................................................................................................413.4.10 PreviousSession.......................................................................................................................423.4.11 Public Key – X.509...................................................................................................................443.4.12 Public Key – PGP.....................................................................................................................453.4.13 Public Key – SPKI.....................................................................................................................463.4.14 Public Key - XML Digital Signature...........................................................................................483.4.15 Smartcard.................................................................................................................................493.4.16 SmartcardPKI...........................................................................................................................503.4.17 SoftwarePKI..............................................................................................................................533.4.18 Telephony.................................................................................................................................553.4.19 Telephony ("Nomadic").............................................................................................................563.4.20 Telephony (Personalized).........................................................................................................573.4.21 Telephony (Authenticated)........................................................................................................593.4.22 Secure Remote Password........................................................................................................603.4.23 SSL/TLS Certificate-Based Client Authentication.....................................................................623.4.24 TimeSyncToken........................................................................................................................633.4.25 Unspecified...............................................................................................................................65

4 References................................................................................................................................................66Appendix A. Acknowledgments....................................................................................................................68Appendix B. Notices.....................................................................................................................................70

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 3 of 70

61

6263646566676869707172737475767778798081828384858687888990919293949596979899

100101102

103

1 IntroductionThis specification defines a syntax for the definition of authentication context declarations and an initial listof authentication context classes.

1.1 Authentication Context ConceptsIf a relying party is to rely on the authentication of a principal by an authentication authority, the relyingparty may require information additional to the assertion itself in order to assess the level of confidencethey can place in that assertion. This specification defines an XML Schema for the creation ofAuthentication Context declarations - XML documents that allow the authentication authority to provide tothe relying party this additional information. Additionally, this specification defines a number ofAuthentication Context classes; categories into which many Authentication Context declarations will fall,thereby simplifying their interpretation.

The OASIS Security Assertion Markup Language does not prescribe a single technology, protocol, orpolicy for the processes by which authentication authorities issue identities to principals and by whichthose principals subsequently authenticate themselves to the authentication authority. Differentauthentication authorities will choose different technologies, follow different processes, and be bound bydifferent legal obligations with respect to how they authenticate principals.

The choices that an authentication authority makes here will be driven in large part by the requirements ofthe relying parties with which the authentication authority interacts. These requirements themselves will bedetermined by the nature of the service (that is, the sensitivity of any information exchanged, theassociated financial value, the relying parties' risk tolerance, etc.) that the relying party will be providing tothe principal.

Consequently, for anything other than trivial services, if the relying party is to place sufficient confidence inthe authentication assertions it receives from an authentication authority, it will be necessary for it to knowwhich technologies, protocols, and processes were used or followed for the original authenticationmechanism on which the authentication assertion is based. Armed with this information and trusting theorigin of the actual assertion, the relying party will be better able to make an informed entitlementsdecision regarding what services the subject of the authentication assertion should be allowed to access.

Authentication context is defined as the information, additional to the authentication assertion itself, thatthe relying party may require before it makes an entitlements decision with respect to an authenticationassertion. Such context may include, but is not limited to, the actual authentication method used (see theSAML assertions and protocols specification [SAMLCore] for more information).

1.2 Notation and TerminologyThe keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted asdescribed in IETF RFC 2119 [RFC 2119].

Listings of XML schemas appear like this.

Example code listings appear like this.This specification uses schema documents conforming to W3C XML Schema [Schema1] and normativetext to describe the syntax and semantics of XML-encoded SAML assertions and protocol messages. Incases of disagreement between the SAML authentication context schema documents and schema listingsin this specification, the schema documents take precedence. Note that in some cases the normative textof this specification imposes constraints beyond those indicated by the schema documents.

Conventional XML namespace prefixes are used throughout the listings in this specification to stand for

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 4 of 70

104

105106

107

108109110111112113114

115116117118119

120121122123124

125126127128129130

131132133134

135

136137138

139140141

142143144145146

147

their respective namespaces as follows, whether or not a namespace declaration is present in theexample:

Prefix XML Namespace Comments

ac: urn:oasis:names:tc:SAML:2.0:ac This is the namespace defined in this specificationand in a schema [SAMLAC-xsd].

xs: http://www.w3.org/2001/XMLSchema This namespace is defined in the W3C XML Schemaspecification [Schema1].

This specification uses the following typographical conventions in text: <SAMLElement>,<ns:ForeignElement>, XMLAttribute, Datatype, OtherKeyword.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 5 of 70

149150

151

152153

2 Authentication Context DeclarationIf a relying party is to rely on the authentication of another entity by an authentication authority, the relyingparty may require information additional to the authentication itself to allow it to put the authentication intoa risk-management context. This information could include:

• The initial user identification mechanisms (for example, face-to-face, online, shared secret).

• The mechanisms for minimizing compromise of credentials (for example, credential renewalfrequency, client-side key generation).

• The mechanisms for storing and protecting credentials (for example, smartcard, password rules).

• The authentication mechanism or method (for example, password, certificate-based SSL).

The variations and permutations in the characteristics listed above guarantee that not all authenticationassertions will be the same with respect to the confidence that a relying party can place in it; a particularauthentication assertion will be characterized by the values for each of these (and other) variables.

A SAML authentication authority can deliver to a relying party the additional authentication contextinformation in the form of an authentication context declaration, an XML document either inserted directlyor referenced within the authentication assertion that the authentication authority provides to the relyingparty.

SAML requesters are able to request that an authentication comply with a specified authentication contextby identifying that context in an authentication request. A requester may also specify that an authenticationmust be conducted with an authentication context that exceeds some stated value (for some agreeddefinition of "exceeds"). See the SAML assertions and protocols specification [SAMLCore] for moreinformation.

2.1 Data ModelA particular authentication context declaration defined in this specification will capture characteristics ofthe processes, procedures, and mechanisms by which the authentication authority verified the subjectbefore issuing an identity, protects the secrets on which subsequent authentications are based, and themechanisms used for this authentication. These characteristics are categorized in the AuthenticationContext schema as follows:

• Identification - Characteristics that describe the processes and mechanism the authenticationauthority uses to initially create an association between a subject and the identity (or name) by whichthe subject will be known.

• Technical Protection - Characteristics that describe how the "secret" (the knowledge or possessionof which allows the subject to authenticate to the authentication authority) is kept secure.

• Operational Protection - Characteristics that describe procedural security controls employed by theauthentication authority (for example, security audits, records archival).

• Authentication Method - Characteristics that define the mechanisms by which the subject of theissued assertion authenticates to the authentication authority (for example, a password versus asmartcard).

• Governing Agreements - Characteristics that describe the legal framework (e.g. liability constraintsand contractual obligations) underlying the authentication event and/or its associated technicalauthentication infrastructure.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 6 of 70

154

155156157

158

159160

161

162

163164165

166167168169

170171172173174

175

176177178179180

181182183

184185

186187

188189190

191192193

2.2 ExtensibilityThe authentication context declaration schema [SAMLAC-xsd] has well-defined extensibility pointsthrough the <Extension> element. Authentication authorities can use this element to insert additionalauthentication context details for the SAML assertions they issue (assuming that the consuming relyingparty will be able to understand these extensions). These additional elements MUST be in a separateXML Namespace to that of the authentication context declaration base or class schema that applies to thedeclaration itself.

2.3 Processing RulesAdditional processing rules for authentication context declarations are specified in the SAML assertionsand protocols specification [SAMLCore]. Note that in most respects, these processing rules amount todeployments sharing common interpretations of the relative strength or quality of particular authenticationcontext declarations and cannot be expressed in absolute terms or provided as rules that implementationsmust follow.

2.4 SchemaThis section lists the complete Authentication Context Types XML Schema [SAMLAC-Types], and theAuthentication Context XML schema [SAMLAC-xsd] itself, used for the validation of individual generalizeddeclarations. The types schema has no target namespace itself, and is then included by [SAMLAC-xsd].

<?xml version="1.0" encoding="UTF-8"?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" version="2.0">

<xs:annotation> <xs:documentation> Document identifier: saml-schema-authn-context-types-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New core authentication context schema types for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:element name="AuthenticationContextDeclaration"type="AuthnContextDeclarationBaseType"> <xs:annotation> <xs:documentation> A particular assertion on an identity provider's part with respect to the authentication context associated with an authentication assertion. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Identification" type="IdentificationType"> <xs:annotation> <xs:documentation> Refers to those characteristics that describe the processes and mechanisms the Authentication Authority uses to initially create an association between a Principal and the identity (or name) by which the Principal will be known </xs:documentation> </xs:annotation> </xs:element>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 7 of 70

194

195196197198199200

201

202203204205206

207

208209210

211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249

<xs:element name="PhysicalVerification"> <xs:annotation> <xs:documentation> This element indicates that identification has been performed in a physical face-to-face meeting with the principal and not in an online manner. </xs:documentation> </xs:annotation> <xs:complexType> <xs:attribute name="credentialLevel"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="primary"/> <xs:enumeration value="secondary"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element>

<xs:element name="WrittenConsent" type="ExtensionOnlyType"/>

<xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType"> <xs:annotation> <xs:documentation> Refers to those characterstics that describe how the 'secret' (the knowledge or possession of which allows the Principal to authenticate to the Authentication Authority) is kept secure </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="SecretKeyProtection" type="SecretKeyProtectionType"> <xs:annotation> <xs:documentation> This element indicates the types and strengths of facilities of a UA used to protect a shared secret key from unauthorized access and/or use. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType"> <xs:annotation> <xs:documentation> This element indicates the types and strengths of facilities of a UA used to protect a private key from unauthorized access and/or use. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="KeyActivation" type="KeyActivationType"> <xs:annotation> <xs:documentation>The actions that must be performed before the private key can be used. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="KeySharing" type="KeySharingType"> <xs:annotation> <xs:documentation>Whether or not the private key is shared

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 8 of 70

250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316

with the certificate authority.</xs:documentation> </xs:annotation> </xs:element>

<xs:element name="KeyStorage" type="KeyStorageType"> <xs:annotation> <xs:documentation> In which medium is the key stored. memory - the key is stored in memory. smartcard - the key is stored in a smartcard. token - the key is stored in a hardware token. MobileDevice - the key is stored in a mobile device. MobileAuthCard - the key is stored in a mobile authentication card. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/> <xs:element name="UserSuffix" type="ExtensionOnlyType"/>

<xs:element name="Password" type="PasswordType"> <xs:annotation> <xs:documentation> This element indicates that a password (or passphrase) has been used to authenticate the Principal to a remote system. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="ActivationPin" type="ActivationPinType"> <xs:annotation> <xs:documentation> This element indicates that a Pin (Personal Identification Number) has been used to authenticate the Principal to some local system in order to activate a key. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Token" type="TokenType"> <xs:annotation> <xs:documentation> This element indicates that a hardware or software token is used as a method of identifying the Principal. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="TimeSyncToken" type="TimeSyncTokenType"> <xs:annotation> <xs:documentation> This element indicates that a time synchronization token is used to identify the Principal. hardware - the time synchonization token has been implemented in hardware. software - the time synchronization token has been implemented in software. SeedLength - the length, in bits, of the random seed used in the time synchronization token. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Smartcard" type="ExtensionOnlyType">

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 9 of 70

317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383

<xs:annotation> <xs:documentation> This element indicates that a smartcard is used to identity the Principal. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Length" type="LengthType"> <xs:annotation> <xs:documentation> This element indicates the minimum and/or maximum ASCII length of the password which is enforced (by the UA or the IdP). In other words, this is the minimum and/or maximum number of ASCII characters required to represent a valid password. min - the minimum number of ASCII characters required in a valid password, as enforced by the UA or the IdP. max - the maximum number of ASCII characters required in a valid password, as enforced by the UA or the IdP. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="ActivationLimit" type="ActivationLimitType"> <xs:annotation> <xs:documentation> This element indicates the length of time for which an PIN-based authentication is valid. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Generation"> <xs:annotation> <xs:documentation> Indicates whether the password was chosen by the Principal or auto-supplied by the Authentication Authority. principalchosen - the Principal is allowed to choose the value of the password. This is true even if the initial password is chosen at random by the UA or the IdP and the Principal is then free to change the password. automatic - the password is chosen by the UA or the IdP to be cryptographically strong in some sense, or to satisfy certain password rules, and that the Principal is not free to change it or to choose a new password. </xs:documentation> </xs:annotation>

<xs:complexType> <xs:attribute name="mechanism" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="principalchosen"/> <xs:enumeration value="automatic"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element>

<xs:element name="AuthnMethod" type="AuthnMethodBaseType"> <xs:annotation> <xs:documentation> Refers to those characteristics that define the mechanisms by which the Principal authenticates to the Authentication Authority.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 10 of 70

384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450

</xs:documentation> </xs:annotation> </xs:element>

<xs:element name="PrincipalAuthenticationMechanism"type="PrincipalAuthenticationMechanismType"> <xs:annotation> <xs:documentation> The method that a Principal employs to perform authentication to local system components. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="Authenticator" type="AuthenticatorBaseType"> <xs:annotation> <xs:documentation> The method applied to validate a principal's authentication across a network </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType"> <xs:annotation> <xs:documentation> Supports Authenticators with nested combinations of additional complexity. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="PreviousSession" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> Indicates that the Principal has been strongly authenticated in a previous session during which the IdP has set a cookie in the UA. During the present session the Principal has only been authenticated by the UA returning the cookie to the IdP. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="ResumeSession" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> Rather like PreviousSession but using stronger security. A secret that was established in a previous session with the Authentication Authority has been cached by the local system and is now re-used (e.g. a Master Secret is used to derive new session keys in TLS, SSL, WTLS). </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="ZeroKnowledge" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a zero knowledge technique as specified in ISO/IEC 9798-5. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="SharedSecretChallengeResponse"type="SharedSecretChallengeResponseType"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 11 of 70

451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517

<xs:complexType name="SharedSecretChallengeResponseType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared secret keys and symmetric cryptography. </xs:documentation> </xs:annotation> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="method" type="xs:anyURI" use="optional"/> </xs:complexType>

<xs:element name="DigSig" type="PublicKeyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a mechanism which involves the Principal computing a digital signature over at least challenge data provided by the IdP. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="AsymmetricDecryption" type="PublicKeyType"> <xs:annotation> <xs:documentation> The local system has a private key but it is used in decryption mode, rather than signature mode. For example, the Authentication Authority generates a secret and encrypts it using the local system's public key: the local system then proves it has decrypted the secret. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="AsymmetricKeyAgreement" type="PublicKeyType"> <xs:annotation> <xs:documentation> The local system has a private key and uses it for shared secret key agreement with the Authentication Authority (e.g. via Diffie Helman). </xs:documentation> </xs:annotation> </xs:element>

<xs:complexType name="PublicKeyType"> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="keyValidation" use="optional"/> </xs:complexType>

<xs:element name="IPAddress" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated through connection from a particular IP address. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> The local system and Authentication Authority

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 12 of 70

518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584

share a secret key. The local system uses this to encrypt a randomised string to pass to the Authentication Authority. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="AuthenticatorTransportProtocol"type="AuthenticatorTransportProtocolType"> <xs:annotation> <xs:documentation> The protocol across which Authenticator information is transferred to an Authentication Authority verifier. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="HTTP" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using bare HTTP utilizing no additional security protocols. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="IPSec" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechanism protected by an IPSEC session. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="WTLS" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechanism protected by a WTLS session. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted solely across a mobile network using no additional security mechanism. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/> <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>

<xs:element name="SSL" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechnanism protected by an SSL or TLS session. </xs:documentation> </xs:annotation> </xs:element>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 13 of 70

585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651

<xs:element name="PSTN" type="ExtensionOnlyType"/> <xs:element name="ISDN" type="ExtensionOnlyType"/> <xs:element name="ADSL" type="ExtensionOnlyType"/>

<xs:element name="OperationalProtection" type="OperationalProtectionType"> <xs:annotation> <xs:documentation> Refers to those characteristics that describe procedural security controls employed by the Authentication Authority. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="SecurityAudit" type="SecurityAuditType"/> <xs:element name="SwitchAudit" type="ExtensionOnlyType"/> <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>

<xs:element name="GoverningAgreements" type="GoverningAgreementsType"> <xs:annotation> <xs:documentation> Provides a mechanism for linking to external (likely human readable) documents in which additional business agreements, (e.g. liability constraints, obligations, etc) can be placed. </xs:documentation> </xs:annotation> </xs:element>

<xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>

<xs:simpleType name="nymType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="anonymity"/> <xs:enumeration value="verinymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod" minOccurs="0"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:complexType> <xs:complexType name="IdentificationType"> <xs:sequence> <xs:element ref="PhysicalVerification" minOccurs="0"/> <xs:element ref="WrittenConsent" minOccurs="0"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym" type="nymType"> <xs:annotation> <xs:documentation> This attribute indicates whether or not the Identification mechanisms allow the actions of the Principal to be linked to an actual end user. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 14 of 70

652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718

<xs:complexType name="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice minOccurs="0"> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit" minOccurs="0"/> <xs:element ref="DeactivationCallCenter" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator" minOccurs="0"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="GoverningAgreementsType"> <xs:sequence> <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="GoverningAgreementRefType"> <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/> </xs:complexType>

<xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Password" minOccurs="0"/> <xs:element ref="RestrictedPassword" minOccurs="0"/> <xs:element ref="Token" minOccurs="0"/> <xs:element ref="Smartcard" minOccurs="0"/> <xs:element ref="ActivationPin" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:complexType> <xs:group name="AuthenticatorChoiceGroup"> <xs:choice> <xs:element ref="PreviousSession"/> <xs:element ref="ResumeSession"/> <xs:element ref="DigSig"/> <xs:element ref="Password"/> <xs:element ref="RestrictedPassword"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="IPAddress"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> <xs:element ref="SubscriberLineNumber"/> <xs:element ref="UserSuffix"/> <xs:element ref="ComplexAuthenticator"/> </xs:choice> </xs:group>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 15 of 70

719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785

<xs:group name="AuthenticatorSequenceGroup"> <xs:sequence> <xs:element ref="PreviousSession" minOccurs="0"/> <xs:element ref="ResumeSession" minOccurs="0"/> <xs:element ref="DigSig" minOccurs="0"/> <xs:element ref="Password" minOccurs="0"/> <xs:element ref="RestrictedPassword" minOccurs="0"/> <xs:element ref="ZeroKnowledge" minOccurs="0"/> <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/> <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/> <xs:element ref="IPAddress" minOccurs="0"/> <xs:element ref="AsymmetricDecryption" minOccurs="0"/> <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/> <xs:element ref="SubscriberLineNumber" minOccurs="0"/> <xs:element ref="UserSuffix" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:group>

<xs:complexType name="AuthenticatorBaseType"> <xs:sequence> <xs:group ref="AuthenticatorChoiceGroup"/> <xs:group ref="AuthenticatorSequenceGroup"/> </xs:sequence> </xs:complexType> <xs:complexType name="ComplexAuthenticatorType"> <xs:sequence> <xs:group ref="AuthenticatorChoiceGroup"/> <xs:group ref="AuthenticatorSequenceGroup"/> </xs:sequence> </xs:complexType> <xs:complexType name="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice minOccurs="0"> <xs:element ref="HTTP"/> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> <xs:element ref="IPSec"/> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="KeyActivationType"> <xs:sequence> <xs:element ref="ActivationPin" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="KeySharingType"> <xs:attribute name="sharing" type="xs:boolean" use="required"/> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation" minOccurs="0"/> <xs:element ref="KeyStorage" minOccurs="0"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 16 of 70

786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852

<xs:element ref="KeySharing" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="PasswordType"> <xs:sequence> <xs:element ref="Length" minOccurs="0"/> <xs:element ref="Alphabet" minOccurs="0"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/> </xs:complexType>

<xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>

<xs:complexType name="RestrictedPasswordType"> <xs:complexContent> <xs:restriction base="PasswordType"> <xs:sequence> <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ExternalVerification" type="xs:anyURI"use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="RestrictedLengthType"> <xs:complexContent> <xs:restriction base="LengthType"> <xs:attribute name="min" use="required"> <xs:simpleType> <xs:restriction base="xs:integer"> <xs:minInclusive value="3"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="max" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="ActivationPinType"> <xs:sequence> <xs:element ref="Length" minOccurs="0"/> <xs:element ref="Alphabet" minOccurs="0"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="ActivationLimit" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="Alphabet" type="AlphabetType"/> <xs:complexType name="AlphabetType"> <xs:attribute name="requiredChars" type="xs:string" use="required"/> <xs:attribute name="excludedChars" type="xs:string" use="optional"/> <xs:attribute name="case" type="xs:string" use="optional"/> </xs:complexType> <xs:complexType name="TokenType"> <xs:sequence> <xs:element ref="TimeSyncToken"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 17 of 70

853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919

</xs:sequence> </xs:complexType> <xs:simpleType name="DeviceTypeType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="hardware"/> <xs:enumeration value="software"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="booleanType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="true"/> <xs:enumeration value="false"/> </xs:restriction> </xs:simpleType> <xs:complexType name="TimeSyncTokenType"> <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/> <xs:attribute name="SeedLength" type="xs:integer" use="required"/> <xs:attribute name="DeviceInHand" type="booleanType" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitType"> <xs:choice> <xs:element ref="ActivationLimitDuration"/> <xs:element ref="ActivationLimitUsages"/> <xs:element ref="ActivationLimitSession"/> </xs:choice> </xs:complexType> <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is defined as a specific duration of time. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is defined as a number of usages. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is the session. </xs:documentation> </xs:annotation> </xs:element> <xs:complexType name="ActivationLimitDurationType"> <xs:attribute name="duration" type="xs:duration" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitUsagesType"> <xs:attribute name="number" type="xs:integer" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitSessionType"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 18 of 70

920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986

<xs:complexType name="LengthType"> <xs:attribute name="min" type="xs:integer" use="required"/> <xs:attribute name="max" type="xs:integer" use="optional"/> </xs:complexType>

<xs:simpleType name="mediumType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="memory"/> <xs:enumeration value="smartcard"/> <xs:enumeration value="token"/> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> </xs:restriction> </xs:simpleType>

<xs:complexType name="KeyStorageType"> <xs:attribute name="medium" type="mediumType" use="required"/> </xs:complexType>

<xs:complexType name="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation" minOccurs="0"/> <xs:element ref="KeyStorage" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

<xs:complexType name="ExtensionOnlyType"> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="Extension" type="ExtensionType"/>

<xs:complexType name="ExtensionType"> <xs:sequence> <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>

</xs:schema>

<?xml version="1.0" encoding="UTF-8"?><xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac" blockDefault="substitution" version="2.0">

<xs:annotation> <xs:documentation> Document identifier: saml-schema-authn-context-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history:

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 19 of 70

987988989990991992993994995996997998999

1000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036

1037

1038

1039104010411042104310441045104610471048104910501051

V2.0 (March, 2005): New core authentication context schema for SAML V2.0. This is just an include of all types from the schema referred to in the include statement below. </xs:documentation> </xs:annotation>

<xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/>

</xs:schema>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 20 of 70

1052105310541055105610571058105910601061

3 Authentication Context ClassesThe number of permutations of different characteristics ensures that there is a theoretically infinite numberof unique authentication contexts. The implication is that, in theory, any particular relying party would beexpected to be able to parse arbitrary authentication context declarations and, more importantly, toanalyze the declaration in order to assess the “quality” of the associated authentication assertion. Makingsuch an assessment is non-trivial.

Fortunately, an optimization is possible. In practice many authentication contexts will fall into categoriesdetermined by industry practices and technology. For instance, many B2C web browser authenticationcontexts will be (partially) defined by the principal authenticating to the authentication authority through thepresentation of a password over an SSL protected session. In the enterprise world, certificate-basedauthentication will be common. Of course, the full authentication context is not limited to the specifics ofhow the principal authenticated. Nevertheless, the authentication method is often the most visiblecharacteristic and as such, can serve as a useful classifer for a class of related authentication contexts.

The concept is expressed in this specification as a definition of a series of authentication context classes.Each class defines a proper subset of the full set of authentication contexts. Classes have been chosenas representative of the current practices and technologies for authentication technologies, and provideasserting and relying parties a convenient shorthand when referring to authentication context issues.

For instance, an authentication authority may include with the complete authentication context declarationit provides to a relying party an assertion that the authentication context also belongs to an authenticationcontext class. For some relying parties, this assertion is sufficient detail for it to be able to assign anappropriate level of confidence to the associated authentication assertion. Other relying parties mightprefer to examine the complete authentication context declaration itself. Likewise, the ability to refer to anauthentication context class rather than being required to list the complete details of a specificauthentication context declaration will simplify how the relying party can express its desires and/orrequirements to an authentication authority.

3.1 Advantages of Authentication Context ClassesThe introduction of the additional layer of classes and the definition of an initial list of representative andflexible classes are expected to:

• Make it easier for the authentication authority and relying party to come to an agreement on what areacceptable authentication contexts by giving them a framework for discussion.

• Make it easier for relying parties to indicate their preferences when requesting a step-upauthentication assertion from an authentication authority.

• Simplify for relying parties the burden of processing authentication context declarations by givingthem the option of being satisfied by the associated class.

• Insulate relying parties from the impact of new authentication technologies.

• Make it easier for authentication authorities to publish their authentication capabilities, for example,through WSDL.

3.2 Processing RulesFurther processing rules for authentication context classes are described in the SAML assertions andprotocols specification [SAMLCore]. Note that in most respects, these processing rules amount todeployments sharing common interpretations of the relative strength or quality of particular authenticationcontext classes and cannot be expressed in absolute terms or provided as rules that implementationsmust follow.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 21 of 70

1062

10631064106510661067

1068106910701071107210731074

1075107610771078

10791080108110821083108410851086

1087

10881089

10901091

10921093

10941095

1096

10971098

1099

11001101110211031104

3.3 ExtensibilityAs does the core authentication context declaration schema, the separate authentication context classschemas allow the <Extension> element in certain locations of the tree structure. In general, where the<Extension> element occurred as a child of an <xs:choice> element, this option was removed increating the appropriate class schema definition as a restriction of the base type. When the<Extension> element occurred as an optional child of an <xs:sequence> element, the <Extension>element was allowed to remain in addition to any required elements.

Consequently, authentication context declarations can include the <Extension> element (with additionalelements in different namespaces) and still conform to authentication context class schemas (if they meetthe other requirements of the schema of course).

The authentication context class schemas restrict type definitions in the base authentication contextschema. As an extension point, the authentication context class schemas themselves can be furtherrestricted – their type definitions serving as base types in some other schema (potentially defined bysome community wishing a more tightly defined authentication context class). To prevent logicalinconsistencies, any such schema extensions can only further constrain the type definitions of the classschema. To enforce this constraint, the authentication context class schemas are defined with thefinalDefault="extension" attribute on the <schema> element to prevent this type of derivation.

Additional authentication context classes MAY be developed by groups other than the Security ServicesTechnical Committee. OASIS members may wish to document and submit them for consideration by theSSTC in a future version of the specification, and other groups may simply wish to inform the committeeof their work. Please refer to the SSTC web site for further details.

Guidelines for the specification of new context classes are as follows:• Specify a URI that uniquely identifies the context class.

• Provide contact information for the author of the class.

• Provide a textual description of the circumstances under which this class should be used.

• Provide a valid XML schema [Schema1] document implementing the class.

Authors of new classes are encouraged to review the classes defined within this specification in order toguide their work.

3.4 SchemasAuthentication context classes are listed in the following sub-sections. The classes are listed inalphabetical order; no other ranking is implied by the order of classes. Classes are uniquely identified byURIs with the following initial stem:

urn:oasis:names:tc:SAML:2.0:ac:classes The class schemas are defined as restrictions of parts of the base authentication context "types" schema.XML instances that validate against a given authentication context class schema are said to conform tothat authentication context class.

Note that because the class schema imports and redefines the elements and types into the class schemanamespace, a class-conforming authentication context declaration does not simultaneously validateagainst the base authentication context schema.

3.4.1 Internet ProtocolURI: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-IP].

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 22 of 70

1105

110611071108110911101111

111211131114

1115111611171118111911201121

1122112311241125

1126

1127

1128

1129

1130

11311132

1133

113411351136

1137

113811391140

114111421143

1144

1145

11461147

The Internet Protocol class is applicable when a principal is authenticated through the use of a provided IPaddress.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol Document identifier: saml-schema-authn-context-ip-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="IPAddress"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 23 of 70

11481149

1150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213

</xs:schema>

3.4.2 InternetProtocolPasswordURI: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-IPP].

The Internet Protocol Password class is applicable when a principal is authenticated through the use of aprovided IP address, in addition to a username/password.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword" xmlns:ac="urn:oasis:names:tc:SAML:2.0:ac" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword Document identifier: saml-schema-authn-context-ippword-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 24 of 70

12141215

1216

1217

12181219

12201221

12221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274

</xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="Password"/> <xs:element ref="IPAddress"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.3 KerberosURI: urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-Kerb].

This class is applicable when the principal has authenticated using a password to a local authenticationauthority, in order to acquire a Kerberos ticket. That Kerberos ticket is then used for subsequent networkauthentication.

Note: It is possible for the authentication authority to indicate (via this context class) a pre-authentication data type which was used by the Kerberos Key Distribution Center [RFC 1510]when authenticating the principal. The method used by the authentication authority to obtain thisinformation is outside of the scope of this specification, but it is strongly recommended that atrusted method be deployed to pass the pre-authentication data type and any other Kerberosrelated context details (e.g. ticket lifetime) to the authentication authority.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos Document identifier: saml-schema-authn-context-kerberos-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 25 of 70

12751276127712781279128012811282128312841285128612871288128912901291

1292

1293

12941295

129612971298

129913001301130213031304

13051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333

<xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="SharedSecretChallengeResponse"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="SharedSecretChallengeResponseType"> <xs:complexContent> <xs:restriction base="SharedSecretChallengeResponseType"> <xs:attribute name="method" type="xs:anyURI"fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"/> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 26 of 70

1334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388

1389

An example of an XML instance conforming to this class schema is as follows:<AuthenticationContextDeclaration xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos">

<AuthnMethod>

<PrincipalAuthenticationMechanism preauth="0"> <RestrictedPassword> <Length min="4"/> </RestrictedPassword> </PrincipalAuthenticationMechanism>

<Authenticator> <AuthenticatorSequence> <SharedSecretChallengeResponsemethod="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"/> </AuthenticatorSequence> </Authenticator>

</AuthnMethod>

</AuthenticationContextDeclaration>

3.4.4 MobileOneFactorUnregisteredURI: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-MOFU].

Reflects no mobile customer registration procedures and an authentication of the mobile device withoutrequiring explicit end-user interaction. This context class authenticates only the device and never the user;it is useful when services other than the mobile operator want to add a secure device authentication totheir authentication process.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered Document identifier: saml-schema-authn-context-mobileonefactor-unreg-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 27 of 70

1390139113921393139413951396139713981399140014011402140314041405140614071408140914101411

1412

1413

14141415

1416141714181419

142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449

<xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="OperationalProtectionType"> <xs:complexContent> <xs:restriction base="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit"/> <xs:element ref="DeactivationCallCenter"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 28 of 70

1450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516

</xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="SecretKeyProtectionType"> <xs:complexContent> <xs:restriction base="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> <xs:enumeration value="smartcard"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="SecurityAuditType"> <xs:complexContent> <xs:restriction base="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 29 of 70

1517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583

<xs:complexType name="IdentificationType"> <xs:complexContent> <xs:restriction base="IdentificationType"> <xs:sequence> <xs:element ref="GoverningAgreements"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym"> <xs:simpleType> <xs:restriction base="nymType"> <xs:enumeration value="anonymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.5 MobileTwoFactorUnregisteredURI: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-MTFU].

Reflects no mobile customer registration procedures and a two-factor based authentication, such assecure device and user PIN. This context class is useful when a service other than the mobile operatorwants to link their customer ID to a mobile supplied two-factor authentication service by capturing mobilephone data at enrollment.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered Document identifier: saml-schema-authn-context-mobiletwofactor-unreg-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 30 of 70

1584158515861587158815891590159115921593159415951596159715981599160016011602160316041605

1606

1607

16081609

1610161116121613

1614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644

<xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> <xs:element ref="ComplexAuthenticator"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="ComplexAuthenticatorType"> <xs:complexContent> <xs:restriction base="ComplexAuthenticatorType"> <xs:sequence> <xs:choice> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> </xs:choice> <xs:element ref="Password"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> </xs:choice>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 31 of 70

1645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711

<xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="OperationalProtectionType"> <xs:complexContent> <xs:restriction base="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit"/> <xs:element ref="DeactivationCallCenter"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="SecretKeyProtectionType"> <xs:complexContent> <xs:restriction base="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> <xs:enumeration value="smartcard"/> </xs:restriction> </xs:simpleType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 32 of 70

1712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778

</xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="SecurityAuditType"> <xs:complexContent> <xs:restriction base="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="IdentificationType"> <xs:complexContent> <xs:restriction base="IdentificationType"> <xs:sequence> <xs:element ref="GoverningAgreements"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym"> <xs:simpleType> <xs:restriction base="nymType"> <xs:enumeration value="anonymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.6 MobileOneFactorContractURI: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-MOFC].

Reflects mobile contract customer registration procedures and a single factor authentication. For example,a digital signing device with tamper resistant memory for key storage, such as the mobile MSISDN, but norequired PIN or biometric for real-time user authentication.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 33 of 70

17791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816

1817

1818

18191820

182118221823

182418251826182718281829183018311832183318341835183618371838

Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract Document identifier: saml-schema-authn-context-mobileonefactor-reg-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 34 of 70

1839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905

</xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="OperationalProtectionType"> <xs:complexContent> <xs:restriction base="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit"/> <xs:element ref="DeactivationCallCenter"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="SecretKeyProtectionType"> <xs:complexContent> <xs:restriction base="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="smartcard"/> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> </xs:restriction> </xs:simpleType> </xs:attribute>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 35 of 70

1906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972

</xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="SecurityAuditType"> <xs:complexContent> <xs:restriction base="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="IdentificationType"> <xs:complexContent> <xs:restriction base="IdentificationType"> <xs:sequence> <xs:element ref="PhysicalVerification"/> <xs:element ref="WrittenConsent"/> <xs:element ref="GoverningAgreements"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym"> <xs:simpleType> <xs:restriction base="nymType"> <xs:enumeration value="anonymity"/> <xs:enumeration value="verinymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.7 MobileTwoFactorContractURI: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-MTFC].

Reflects mobile contract customer registration procedures and a two-factor based authentication. Forexample, a digital signing device with tamper resistant memory for key storage, such as a GSM SIM, thatrequires explicit proof of user identity and intent, such as a PIN or biometric.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 36 of 70

1973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012

2013

2014

20152016

201720182019

20202021202220232024202520262027202820292030203120322033

Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract Document identifier: saml-schema-authn-context-mobiletwofactor-reg-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> <xs:element ref="ComplexAuthenticator"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="ComplexAuthenticatorType"> <xs:complexContent> <xs:restriction base="ComplexAuthenticatorType"> <xs:sequence> <xs:choice> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> </xs:choice> <xs:element ref="Password"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 37 of 70

2034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100

</xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="OperationalProtectionType"> <xs:complexContent> <xs:restriction base="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit"/> <xs:element ref="DeactivationCallCenter"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="SecretKeyProtectionType"> <xs:complexContent> <xs:restriction base="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 38 of 70

2101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167

</xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> <xs:enumeration value="smartcard"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="SecurityAuditType"> <xs:complexContent> <xs:restriction base="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="IdentificationType"> <xs:complexContent> <xs:restriction base="IdentificationType"> <xs:sequence> <xs:element ref="PhysicalVerification"/> <xs:element ref="WrittenConsent"/> <xs:element ref="GoverningAgreements"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym"> <xs:simpleType> <xs:restriction base="nymType"> <xs:enumeration value="anonymity"/> <xs:enumeration value="verinymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType> </xs:redefine>

</xs:schema>

3.4.8 PasswordURI: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-Pass].

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 39 of 70

216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224

2225

2226

22272228

The Password class is applicable when a principal authenticates to an authentication authority through thepresentation of a password over an unprotected HTTP session.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Password Document identifier: saml-schema-authn-context-pword-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 40 of 70

22292230

2231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294

Following is an example of an XML instance that conforms to the context class schema:<AuthenticationContextDeclaration xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">

<AuthnMethod> <Authenticator> <AuthenticatorSequence> <RestrictedPassword> <Length min="4"/> </RestrictedPassword> </AuthenticatorSequence> </Authenticator> </AuthnMethod>

</AuthenticationContextDeclaration>

3.4.9 PasswordProtectedTransportURI: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-PPT].

The PasswordProtectedTransport class is applicable when a principal authenticates to an authenticationauthority through the presentation of a password over a protected session.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Document identifier: saml-schema-authn-context-ppt-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 41 of 70

229522962297229822992300230123022303230423052306230723082309

2310

2311

23122313

23142315

2316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> <xs:element ref="IPSec"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.10 PreviousSessionURI: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-Prev].

The PreviousSession class is applicable when a principal had authenticated to an authentication authorityat some point in the past using any authentication context supported by that authentication authority.Consequently, a subsequent authentication event that the authentication authority will assert to the relyingparty may be significantly separated in time from the principal's current resource access request.

The context for the previously authenticated session is explicitly not included in this context class becausethe user has not authenticated during this session, and so the mechanism that the user employed toauthenticate in a previous session should not be used as part of a decision on whether to now allowaccess to a resource.

<?xml version="1.0" encoding="UTF-8"?>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 42 of 70

23562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399

2400

2401

24022403

2404240524062407

2408240924102411

24122413

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession Document identifier: saml-schema-authn-context-session-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="PreviousSession"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 43 of 70

241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476

3.4.11 Public Key – X.509URI: urn:oasis:names:tc:SAML:2.0:ac:classes:X509

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-X509].

The X509 context class indicates that the principal authenticated by means of a digital signature where thekey was validated as part of an X.509 Public Key Infrastructure.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:X509 Document identifier: saml-schema-authn-context-x509-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 44 of 70

2477

2478

24792480

24812482

24832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538

</xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="DigSig"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PublicKeyType"> <xs:complexContent> <xs:restriction base="PublicKeyType"> <xs:attribute name="keyValidation" type="xs:anyURI"fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"/> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.12 Public Key – PGPURI: urn:oasis:names:tc:SAML:2.0:ac:classes:PGP

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-PGP].

The PGP context class indicates that the principal authenticated by means of a digital signature where thekey was validated as part of a PGP Public Key Infrastructure.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PGP Document identifier: saml-schema-authn-context-pgp-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 45 of 70

2539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566

2567

2568

25692570

25712572

257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599

<xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="DigSig"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PublicKeyType"> <xs:complexContent> <xs:restriction base="PublicKeyType"> <xs:attribute name="keyValidation"fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"/> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.13 Public Key – SPKIURI: urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-SPKI].

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 46 of 70

260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656

2657

2658

26592660

The SPKI context class indicates that the principal authenticated by means of a digital signature where thekey was validated via an SPKI Infrastructure.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI Document identifier: saml-schema-authn-context-spki-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 47 of 70

26612662

2663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726

<xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="DigSig"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PublicKeyType"> <xs:complexContent> <xs:restriction base="PublicKeyType"> <xs:attribute name="keyValidation"fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"/> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.14 Public Key - XML Digital SignatureURI: urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-XSig]

This context class indicates that the principal authenticated by means of a digital signature according tothe processing rules specified in the XML Digital Signature specification [XMLSig].

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig Document identifier: saml-schema-authn-context-xmldsig-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 48 of 70

27272728272927302731273227332734273527362737273827392740274127422743274427452746

2747

2748

27492750

27512752

27532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787

</xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="DigSig"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PublicKeyType"> <xs:complexContent> <xs:restriction base="PublicKeyType"> <xs:attribute name="keyValidation" type="xs:anyURI"fixed="urn:ietf:rfc:3075"/> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.15 SmartcardURI: urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-Smart].

The Smartcard class is identified when a principal authenticates to an authentication authority using asmartcard.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard" finalDefault="extension"

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 49 of 70

2788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836

2837

2838

28392840

28412842

284328442845284628472848

blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard Document identifier: saml-schema-authn-context-smartcard-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Smartcard"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine> </xs:schema>

3.4.16 SmartcardPKIURI: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-SmPKI].

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 50 of 70

2849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906

2907

2908

29092910

The SmartcardPKI class is applicable when a principal authenticates to an authentication authority througha two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI Document identifier: saml-schema-authn-context-smartcardpki-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice> <xs:element ref="PrivateKeyProtection"/> </xs:choice> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrincipalAuthenticationMechanismType">

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 51 of 70

29112912

2913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976

<xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Smartcard"/> <xs:element ref="ActivationPin"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyActivationType"> <xs:complexContent> <xs:restriction base="KeyActivationType"> <xs:sequence> <xs:element ref="ActivationPin"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="smartcard"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 52 of 70

29772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041

3.4.17 SoftwarePKIURI: urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-SwPKI] .

The Software-PKI class is applicable when a principal uses an X.509 certificate stored in software toauthenticate to the authentication authority.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI Document identifier: saml-schema-authn-context-softwarepki-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="TechnicalProtectionBaseType"> <xs:complexContent> <xs:restriction base="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 53 of 70

3042

3043

30443045

30463047

30483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103

<xs:element ref="PrivateKeyProtection"/> </xs:choice> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="ActivationPin"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:choice> <xs:element ref="DigSig"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrivateKeyProtectionType"> <xs:complexContent> <xs:restriction base="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation"/> <xs:element ref="KeyStorage"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="KeyActivationType"> <xs:complexContent> <xs:restriction base="KeyActivationType"> <xs:sequence> <xs:element ref="ActivationPin"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="KeyStorageType"> <xs:complexContent> <xs:restriction base="KeyStorageType"> <xs:attribute name="medium" use="required"> <xs:simpleType> <xs:restriction base="mediumType"> <xs:enumeration value="memory"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 54 of 70

3104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170

</xs:complexContent> </xs:complexType>

</xs:redefine></xs:schema>

3.4.18 TelephonyURI: urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-Tele].

This class is used to indicate that the principal authenticated via the provision of a fixed-line telephonenumber, transported via a telephony protocol such as ADSL.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony Document identifier: saml-schema-authn-context-telephony-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 55 of 70

31713172317331743175

3176

3177

31783179

31803181

31823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="SubscriberLineNumber"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.19 Telephony ("Nomadic")URI: urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-TNom].

Indicates that the principal is "roaming" (perhaps using a phone card) and authenticates via the means ofthe line number, a user suffix, and a password element.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony Document identifier: saml-schema-authn-context-nomad-telephony-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType">

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 56 of 70

32323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260

3261

3262

32633264

32653266

32673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292

<xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="Password"/> <xs:element ref="SubscriberLineNumber"/> <xs:element ref="UserSuffix"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.20 Telephony (Personalized)URI: urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-TPers].

This class is used to indicate that the principal authenticated via the provision of a fixed-line telephonenumber and a user suffix, transported via a telephony protocol such as ADSL.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 57 of 70

32933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348

3349

3350

33513352

33533354

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony Document identifier: saml-schema-authn-context-personal-telephony-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="SubscriberLineNumber"/> <xs:element ref="UserSuffix"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType">

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 58 of 70

3355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421

<xs:sequence> <xs:choice> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.21 Telephony (Authenticated)URI: urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-TAuthn].

Indicates that the principal authenticated via the means of the line number, a user suffix, and a passwordelement.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony Document identifier: saml-schema-authn-context-auth-telephony-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 59 of 70

342234233424342534263427342834293430343134323433343434353436

3437

3438

34393440

34413442

3443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="Password"/> <xs:element ref="SubscriberLineNumber"/> <xs:element ref="UserSuffix"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> </xs:redefine>

</xs:schema>

3.4.22 Secure Remote PasswordURI: urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-SRP].

The Secure Remote Password class is applicable when the authentication was performed by means ofSecure Remote Password as specified in [RFC 2945].

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 60 of 70

348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524

3525

3526

35273528

35293530

3531353235333534353535363537353835393540354135423543

<xs:documentation> Class identifier:urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword Document identifier: saml-schema-authn-context-srp-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="SharedSecretChallengeResponse"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="SharedSecretChallengeResponseType"> <xs:complexContent> <xs:restriction base="SharedSecretChallengeResponseType"> <xs:attribute name="method" type="xs:anyURI"fixed="urn:ietf:rfc:2945"/> </xs:restriction> </xs:complexContent>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 61 of 70

3544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610

</xs:complexType>

</xs:redefine>

</xs:schema>

3.4.23 SSL/TLS Certificate-Based Client AuthenticationURI: urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-SSL].

This class indicates that the principal authenticated by means of a client certificate, secured with theSSL/TLS transport.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" finalDefault="extension" blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient Document identifier: saml-schema-authn-context-sslcert-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 62 of 70

36113612361336143615

3616

3617

36183619

36203621

36223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671

<xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="RestrictedPassword"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorBaseType"> <xs:complexContent> <xs:restriction base="AuthenticatorBaseType"> <xs:sequence> <xs:element ref="DigSig"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="PublicKeyType"> <xs:complexContent> <xs:restriction base="PublicKeyType"> <xs:attribute name="keyValidation" type="xs:anyURI"fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthenticatorTransportProtocolType"> <xs:complexContent> <xs:restriction base="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice> <xs:element ref="SSL"/> <xs:element ref="WTLS"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.24 TimeSyncTokenURI: urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken

Note that this URI is also used as the target namespace in the corresponding authentication context classschema document [SAMLAC-TST].

The TimeSyncToken class is applicable when a principal authenticates through a time synchronizationtoken.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schematargetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" finalDefault="extension"

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 63 of 70

367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719

3720

3721

37223723

37243725

3726372737283729373037313732

blockDefault="substitution" version="2.0">

<xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">

<xs:annotation> <xs:documentation> Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken Document identifier: saml-schema-authn-context-timesync-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New authentication context class schema for SAML V2.0. </xs:documentation> </xs:annotation>

<xs:complexType name="AuthnContextDeclarationBaseType"> <xs:complexContent> <xs:restriction base="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="AuthnMethodBaseType"> <xs:complexContent> <xs:restriction base="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:complexContent> <xs:restriction base="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Token"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TokenType"> <xs:complexContent> <xs:restriction base="TokenType"> <xs:sequence> <xs:element ref="TimeSyncToken"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent> </xs:complexType>

<xs:complexType name="TimeSyncTokenType">

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 64 of 70

3733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799

<xs:complexContent> <xs:restriction base="TimeSyncTokenType"> <xs:attribute name="DeviceType" use="required"> <xs:simpleType> <xs:restriction base="DeviceTypeType"> <xs:enumeration value="hardware"/> </xs:restriction> </xs:simpleType> </xs:attribute>

<xs:attribute name="SeedLength" use="required"> <xs:simpleType> <xs:restriction base="xs:integer"> <xs:minInclusive value="64"/> </xs:restriction> </xs:simpleType> </xs:attribute>

<xs:attribute name="DeviceInHand" use="required"> <xs:simpleType> <xs:restriction base="booleanType"> <xs:enumeration value="true"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:restriction> </xs:complexContent> </xs:complexType>

</xs:redefine>

</xs:schema>

3.4.25 UnspecifiedURI: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

The Unspecified class indicates that the authentication was performed by unspecified means.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 65 of 70

38003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831

3832

3833

3834

4 References[RFC 1510] J. Kohl, C. Neuman. The Kerberos Network Authentication Requestor (V5). IETF

RFC 1510, September 1993. See http://www.ietf.org/rfc/rfc1510.txt.[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF

RFC 2119, March 1997. See http://www.ietf.org/rfc/rfc2119.txt.[RFC 2945] T. Wu. The SRP Authentication and Key Exchange System. IETF RFC 2945,

September 2000. See http://www.ietf.org/rfc/rfc2945.txt. [SAMLAC-xsd] J. Kemp et al. SAML authentication context schema. OASIS SSTC, March 2005.

Document ID saml-schema-authn-context-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-Types] J. Kemp et al. SAML authentication context types schema. OASIS SSTC, March2005. Document ID saml-schema-authn-context-types-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-IP] J. Kemp et al. SAML context class schema for Internet Protocol. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-ip-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-IPP] J. Kemp et al. SAML context class schema for Internet Protocol Password.OASIS SSTC, March 2005. Document ID saml-schema-authn-context-ippword-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-Kerb] J. Kemp et al. SAML context class schema for Kerberos. OASIS SSTC, March2005. Document ID saml-schema-authn-context-kerberos-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-MOFC] J. Kemp et al. SAML context class schema for Mobile One Factor Contract.Document ID saml-schema-authn-context-mobileonefactor-reg-2.0. See OASISSSTC, March 2005. http://www.oasis-open.org/committees/security/.

[SAMLAC-MOFU] J. Kemp et al. SAML context class schema for Mobile One Factor Unregistered.Document ID saml-schema-authn-context-mobileonefactor-unreg-2.0. SeeOASIS SSTC, March 2005. http://www.oasis-open.org/committees/security/.

[SAMLAC-MTFC] J. Kemp et al. SAML context class schema for Mobile Two Factor Contract.OASIS SSTC, March 2005. Document ID saml-schema-authn-context-mobiletwofactor-reg-2.0.See http://www.oasis-open.org/committees/security/.

[SAMLAC-MTFU] J. Kemp et al. SAML context class schema for Mobile Two Factor Unregistered.OASIS SSTC, March 2005. Document ID saml-schema-authn-context-mobiletwofactor-unreg-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-Pass] J. Kemp et al. SAML context class schema for Password. OASIS SSTC, March2005. Document ID saml-schema-authn-context-pword-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-PGP] J. Kemp et al. SAML context class schema for Public Key – PGP. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-pgp-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-PPT] J. Kemp et al. SAML context class schema for Password Protected Transport.OASIS SSTC, March 2005. Document ID saml-schema-authn-context-ppt-2.0.See http://www.oasis-open.org/committees/security/.

[SAMLAC-Prev] J. Kemp et al. SAML context class schema for Previous Session. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-session-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-Smart] J. Kemp et al. SAML context class schema for Smartcard. OASIS SSTC, March2005. Document ID saml-schema-authn-context-smartcard-2.0. See

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 66 of 70

3835

38363837

38383839

38403841

384238433844

384538463847

384838493850

385138523853

385438553856

385738583859

386038613862

386338643865

386638673868

386938703871

387238733874

387538763877

387838793880

38813882

http://www.oasis-open.org/committees/security/.[SAMLAC-SmPKI] J. Kemp et al. SAML context class schema for Smartcard PKI. OASIS SSTC,

March 2005. Document ID saml-schema-authn-context-smartcardpki-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-SPKI] J. Kemp et al. SAML context class schema for Public Key – SPKI. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-spki-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-SRP] J. Kemp et al. SAML context class schema for Secure Remote Password. OASISSSTC, March 2005. Document ID saml-schema-authn-context-srp-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-SSL] J. Kemp et al. SAML context class schema for SSL/TLS Certificate-Based ClientAuthentication. OASIS SSTC, March 2005. Document ID saml-schema-authn-context-sslcert-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-SwPKI] J. Kemp et al. SAML context class schema for Software PKI. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-softwarepki-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-Tele] J. Kemp et al. SAML context class schema for Telephony. OASIS SSTC, March2005. Document ID saml-schema-authn-context-telephony-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-TNom] J. Kemp et al. SAML context class schema for Telephony (“Nomadic”). OASISSSTC, March 2005. Document ID saml-schema-authn-context-nomad-telephony-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-TPers] J. Kemp et al. SAML context class schema for Telephony (Personalized). OASISSSTC, March 2005. Document ID saml-schema-authn-context-personal-telephony-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-TAuthn] J. Kemp et al. SAML context class schema for Telephony (Authenticated). OASISSSTC, March 2005. Document ID saml-schema-authn-context-auth-telephony-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLAC-TST] J. Kemp et al. SAML context class schema for Time Sync Token. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-timesync-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-X509] J. Kemp et al. SAML context class schema for Public Key – X.509. OASIS SSTC,March 2005. Document ID saml-schema-authn-context-x509-2.0. Seehttp://www.oasis-open.org/committees/security/.

[SAMLAC-XSig] J. Kemp et al. SAML context class schema for Public Key – XML Signature.OASIS SSTC, March 2005. Document ID saml-schema-authn-context-xmldsig-2.0. See http://www.oasis-open.org/committees/security/.

[SAMLCore] S. Cantor et al. Assertions and Protocols for the OASIS Security AssertionMarkup Language (SAML) V2.0. OASIS SSTC, March 2005. Document ID saml-core-2.0-os. See http://www.oasis-open.org/committees/security/.

[Schema1] H. S. Thompson et al. XML Schema Part 1: Structures. World Wide WebConsortium Recommendation, May 2001. See http://www.w3.org/TR/xmlschema-1/.

[XMLSig] D. Eastlake et al., XML-Signature Syntax and Processing, World Wide WebConsortium Recommendation, February 2002. Seehttp://www.w3.org/TR/xmldsig-core/.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 67 of 70

3883

388438853886

388738883889

389038913892

389338943895

389638973898

389939003901

390239033904

390539063907

390839093910

391139123913

391439153916

391739183919

392039213922

392339243925

392639273928

Appendix A. AcknowledgmentsThe editors would like to acknowledge the contributions of the OASIS Security Services TechnicalCommittee, whose voting members at the time of publication were:

• Conor Cahill, AOL• John Hughes, Atos Origin• Hal Lockhart, BEA Systems• Mike Beach, Boeing• Rebekah Metz, Booz Allen Hamilton• Rick Randall, Booz Allen Hamilton• Ronald Jacobson, Computer Associates• Gavenraj Sodhi, Computer Associates• Thomas Wisniewski, Entrust• Carolina Canales-Valenzuela, Ericsson• Dana Kaufman, Forum Systems• Irving Reid, Hewlett-Packard• Guy Denton, IBM• Heather Hinton, IBM• Maryann Hondo, IBM• Michael McIntosh, IBM• Anthony Nadalin, IBM• Nick Ragouzis, Individual• Scott Cantor, Internet2• Bob Morgan, Internet2• Peter Davis, Neustar• Jeff Hodges, Neustar• Frederick Hirsch, Nokia• Senthil Sengodan, Nokia• Abbie Barbir, Nortel Networks• Scott Kiester, Novell• Cameron Morris, Novell• Paul Madsen, NTT• Steve Anderson, OpenNetwork• Ari Kermaier, Oracle• Vamsi Motukuru, Oracle• Darren Platt, Ping Identity• Prateek Mishra, Principal Identity• Jim Lien, RSA Security• John Linn, RSA Security• Rob Philpott, RSA Security• Dipak Chopra, SAP• Jahan Moreh, Sigaba• Bhavna Bhatnagar, Sun Microsystems• Eve Maler, Sun Microsystems

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 68 of 70

3929

39303931

3932

3933

3934

3935

3936

3937

3938

3939

3940

3941

3942

3943

3944

3945

3946

3947

3948

3949

3950

3951

3952

3953

3954

3955

3956

3957

3958

3959

3960

3961

3962

3963

3964

3965

3966

3967

3968

3969

3970

3971

• Ronald Monzillo, Sun Microsystems• Emily Xu, Sun Microsystems• Greg Whitehead, Trustgenix

The editors also would like to acknowledge the following former SSTC members for their contributions tothis or previous versions of the OASIS Security Assertions Markup Language Standard:

• Stephen Farrell, Baltimore Technologies• David Orchard, BEA Systems• Krishna Sankar, Cisco Systems• Zahid Ahmed, CommerceOne• Tim Alsop, CyberSafe Limited• Carlisle Adams, Entrust• Tim Moses, Entrust• Nigel Edwards, Hewlett-Packard• Joe Pato, Hewlett-Packard• Bob Blakley, IBM• Marlena Erdos, IBM• Marc Chanliau, Netegrity• Chris McLaren, Netegrity• Lynne Rosenthal, NIST • Mark Skall, NIST• Charles Knouse, Oblix• Simon Godik, Overxeer• Charles Norwood, SAIC• Evan Prodromou, Securant• Robert Griffin, RSA Security (former editor)• Sai Allarvarpu, Sun Microsystems• Gary Ellison, Sun Microsystems• Chris Ferris, Sun Microsystems• Mike Myers, Traceroute Security • Phillip Hallam-Baker, VeriSign (former editor)• James Vanderbeek, Vodafone• Mark O’Neill, Vordel• Tony Palmer, Vordel

Finally, the editors wish to acknowledge the following people for their contributions of material used asinput to the OASIS Security Assertions Markup Language specifications:

• Thomas Gross, IBM• Birgit Pfitzmann, IBM

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 69 of 70

3972

3973

39743975

39763977

3978

3979

3980

3981

3982

3983

3984

3985

3986

3987

3988

3989

3990

3991

3992

3993

3994

3995

3996

3997

3998

3999

4000

4001

4002

4003

4004

4005

400640074008

4009

4010

Appendix B. NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights thatmight be claimed to pertain to the implementation or use of the technology described in this document orthe extent to which any license under such rights might or might not be available; neither does it representthat it has made any effort to identify any such rights. Information on OASIS's procedures with respect torights in OASIS specifications can be found at the OASIS website. Copies of claims of rights madeavailable for publication and any assurances of licenses to be made available, or the result of an attemptmade to obtain a general license or permission for the use of such proprietary rights by implementors orusers of this specification, can be obtained from the OASIS Executive Director.

OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, orother proprietary rights which may cover technology that may be required to implement this specification.Please address the information to the OASIS Executive Director.

Copyright © OASIS Open 2005. All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works thatcomment on or otherwise explain it or assist in its implementation may be prepared, copied, published anddistributed, in whole or in part, without restriction of any kind, provided that the above copyright notice andthis paragraph are included on all such copies and derivative works. However, this document itself doesnot be modified in any way, such as by removing the copyright notice or references to OASIS, except asneeded for the purpose of developing OASIS specifications, in which case the procedures for copyrightsdefined in the OASIS Intellectual Property Rights document must be followed, or as required to translate itinto languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successorsor assigns.

This document and the information contained herein is provided on an “AS IS” basis and OASISDISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANYWARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS ORANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

saml-authn-context-2.0-os 15 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 70 of 70

4011

40124013401440154016401740184019

402040214022

4023

40244025402640274028402940304031

40324033

4034403540364037