[Lasso-devel] - Patch possible?

Benjamin Dauvergne bdauvergne at entrouvert.com
Wed Sep 30 14:53:32 CEST 2009 

Bhaskar Jain (bhajain) écrivait:
>  <AuthnStatement>
>   -----
>   <AuthnInstant>         required
>   <SessionIndex>         optional
>   <SessionNotOnOrAfter>  optional
>   <SubjectLocality       optional
>       <adddress>         optional
>       <DNSName>          optional
>   <AuthnContext>         required
>       <AuthnContextClassRef>  optional
>       <AuthnContextDecl>      optional
>       <AuthenticatingAuthority>  zero or more
I do not agree with this schema, the real schema is:
    <complexType name="AuthnStatementType">
        <complexContent>
            <extension base="saml:StatementAbstractType">
                <sequence>
                    <element ref="saml:SubjectLocality" minOccurs="0"/>
                    <element ref="saml:AuthnContext"/>
                </sequence>
                <attribute name="AuthnInstant" type="dateTime" use="required"/>
                <attribute name="SessionIndex" type="string" use="optional"/>
                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
            </extension>
        </complexContent>
    </complexType>
So the content of AuthnClassRef is clearly not optional, but to choose 
between three possibilities.

>
>   Doing idpLogin.response.assertion[0].authnStatement[0].authnContext.authnContextClassRef =  None
>   produces SAMLResponse - 
>    
>       <saml:AuthnStatement AuthnInstant="2009-09-30T06:46:33Z"><saml:AuthnContext/></saml:AuthnStatement>
>
> This is accepted by salesforce.com but GoogleApps says it cannot parse 
> the login request. So i think this is not a valid construct. Based on 
> my discussion with my lead, is it possible that you can give us 
> a patch which will make it optional to set AuthnContextClassRef if we 
> pass some flag to the buildAssertion method. We'll  be very happy to 
> test it. It is okie also if it does not go into the trunk.
Did you try to put some content instead ? like 
urn:oasis:names:tc:SAML:2.0:ac:classes:Password 
(lasso.SAML2_AUTHN_CONTEXT_PASSWORD) ?

I just looked at sample PHP code from Google, and they clearly specify 
an AuthnClassRef in their AuthnResponse (see 
http://code.google.com/p/google-apps-sso-sample/downloads/list).

-- 
Benjamin Dauvergne - www.entrouvert.com
Tel.: +33 (0)1 43 35 01 35

More information about the Lasso-devel mailing list