Internet Engineering Task Force (IETF) S. Santesson
Request for Comments: 7773 3xA Security
Category: Standards Track March 2016
ISSN: 2070-1721
Internet Engineering Task Force (IETF) S. Santesson
Request for Comments: 7773 3xA Security
Category: Standards Track March 2016
ISSN: 2070-1721
Authentication Context Certificate Extension
身份验证上下文证书扩展
Abstract
摘要
This document defines an extension to X.509 certificates. The extension defined in this document holds data about how the certificate subject was authenticated by the Certification Authority that issued the certificate in which this extension appears.
本文档定义了X.509证书的扩展。本文档中定义的扩展包含有关证书主体如何由颁发此扩展的证书的证书颁发机构进行身份验证的数据。
This document also defines one data structure for inclusion in this extension. The data structure is designed to hold information when the subject is authenticated using a Security Assertion Markup Language (SAML) assertion.
本文档还定义了一个包含在此扩展中的数据结构。数据结构设计为在使用安全断言标记语言(SAML)断言对主题进行身份验证时保存信息。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7773.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7773.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
1.1. Terminology ................................................3
2. Authentication Context Extension Syntax .........................4
3. SAML Authentication Context Information .........................4
3.1. contextInfo Data Structure .................................5
3.1.1. AuthContextInfo Element .............................5
3.1.2. IdAttributes Element ................................6
4. Security Considerations .........................................8
5. Normative References ............................................8
Appendix A. ASN.1 Modules .........................................10
A.1. ASN.1 1988 Syntax .........................................10
A.2. ASN.1 2008 Syntax .........................................11
Appendix B. SAML Authentication Context Info XML Schema ...........12
B.1. XML Schema ................................................12
Appendix C. SAML Authentication Context Info XML Examples .........14
C.1. Complete Context Information and Mappings .................14
C.2. Only Mapping Information without SAML Attribute Values ....15
C.3. Authentication Context and serialNumber Mapping ...........16
Author's Address ..................................................16
1. Introduction ....................................................2
1.1. Terminology ................................................3
2. Authentication Context Extension Syntax .........................4
3. SAML Authentication Context Information .........................4
3.1. contextInfo Data Structure .................................5
3.1.1. AuthContextInfo Element .............................5
3.1.2. IdAttributes Element ................................6
4. Security Considerations .........................................8
5. Normative References ............................................8
Appendix A. ASN.1 Modules .........................................10
A.1. ASN.1 1988 Syntax .........................................10
A.2. ASN.1 2008 Syntax .........................................11
Appendix B. SAML Authentication Context Info XML Schema ...........12
B.1. XML Schema ................................................12
Appendix C. SAML Authentication Context Info XML Examples .........14
C.1. Complete Context Information and Mappings .................14
C.2. Only Mapping Information without SAML Attribute Values ....15
C.3. Authentication Context and serialNumber Mapping ...........16
Author's Address ..................................................16
The primary purpose of this document is to provide a mechanism that allows an application to obtain information that expresses the identity of a subject in an X.509 certificate according to [RFC5280]. The identity is stored either in a subject field attribute, as a subject alternative name, or in a subject directory attribute.
本文件的主要目的是提供一种机制,允许应用程序根据[RFC5280]获取表示X.509证书中主体身份的信息。标识存储在“主题”字段属性、主题备选名称或主题目录属性中。
The motivation for this work is to enable mapping of identity data between an identity system and a certificate where the identity system and the certificate are using different attributes and data formats to express the identity of the same entity. In such a scenario, the certificate subject already has an authenticated identity composed of a set of attributes, or so-called claims, that differ from the set of attributes that are commonly used to express the identity of a certificate subject and that may be governed by a specific certificate profile limiting that set.
这项工作的动机是实现身份系统和证书之间的身份数据映射,其中身份系统和证书使用不同的属性和数据格式来表示同一实体的身份。在这样的场景中,证书主体已经具有由一组属性或所谓的权利要求组成的认证身份,这些属性或权利要求不同于通常用于表示证书主体身份的属性集,并且可以由限制该属性集的特定证书简档来管理。
A typical scenario motivating the definition of this extension arises when the source of user authentication and user identity is derived from a SAML [SAML] federation attribute profile. In a SAML federation, the subject presents a SAML assertion in exchange for a certificate that can be uniquely linked to information provided in the original SAML assertion, e.g., attributes and/or level of assurance indicators.
当用户身份验证和用户标识的源来自SAML[SAML]联合属性概要文件时,会出现一个典型的场景来激发此扩展的定义。在SAML联合中,主体提供SAML断言以交换证书,该证书可以唯一地链接到原始SAML断言中提供的信息,例如属性和/或保证级别指示器。
Such certificates are sometimes issued in order to provide the user with a means to create an electronic signature that ties the user to the SAML subject, its attributes, and level of assurance indicators.
有时颁发此类证书是为了向用户提供创建电子签名的方法,该签名将用户与SAML主体、其属性和保证级别指标联系起来。
If such a certificate needs to conform to a certificate profile such as [RFC3739], then this certificate may have to use a separate set of attributes to express the subject identity. The certificate also may have to employ a format for attribute values that is different from the set of attributes obtained from the SAML assertion.
如果此类证书需要符合证书配置文件(如[RFC3739]),则该证书可能必须使用一组单独的属性来表示使用者身份。证书还可能必须采用不同于从SAML断言获得的属性集的属性值格式。
The extension defined in the document makes it possible to represent information about the authentication context employed when authenticating the subject for the purpose of issuing a certificate. This may include information such as:
文档中定义的扩展可以表示为颁发证书而对主体进行身份验证时使用的身份验证上下文的信息。这可能包括以下信息:
o the Identity Provider that authenticated the subject o the level of assurance with which the subject was authenticated o the trust framework where this level of assurance was defined o a unique reference to the authentication instant o a mapping between the subject attributes (obtained from the SAML assertion used to authenticate the subject) and the subject identity information placed in the issued certificate.
o 认证主体的身份提供者o认证主体的保证级别o定义该保证级别的信任框架o对认证瞬间的唯一引用o主体属性之间的映射(从用于认证主体的SAML断言获得)以及发布证书中的主体身份信息。
One scenario where this information may be useful arises when a user logs in to a service using SAML credentials, and the same user (at some point) is required to sign some information. The service may need to verify that the signature was created by the same user that logged on to the service. Today this is only possible using out-of-band knowledge about the Certification Authority (CA) that issued the certificate and its practices. However, this approach does not scale to a large number of service providers, identity providers, and CAs.
当用户使用SAML凭据登录到服务,并且需要同一用户(在某个点)签署某些信息时,就会出现一种情况,其中该信息可能很有用。服务可能需要验证签名是否由登录到服务的同一用户创建。今天,这只能使用有关颁发证书的证书颁发机构(CA)及其实践的带外知识。但是,这种方法不能扩展到大量的服务提供商、身份提供商和CA。
The extension defined here provides better scalability since it requires only the service provider to maintain a list of trusted CAs. All other information about the relationship between the certificate subject and the SAML authenticated subject is available in the certificate.
这里定义的扩展提供了更好的可伸缩性,因为它只需要服务提供商维护受信任CA的列表。证书中提供了有关证书主题和SAML认证主题之间关系的所有其他信息。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The Authentication Context extension has the following syntax:
身份验证上下文扩展具有以下语法:
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
This extension holds a sequence of AuthenticationContext information. When present, this extension MUST include at least one AuthenticationContext.
此扩展保存一系列AuthenticationContext信息。存在时,此扩展必须至少包括一个AuthenticationContext。
The type of authentication context defined in AuthenticationContext is identified by the contextType. The contextType MUST contain a URI that identifies the context type as well as the data format and encoding of context information provided in contextInfo.
在AuthenticationContext中定义的身份验证上下文的类型由contextType标识。contextType必须包含一个URI,该URI标识contextInfo中提供的上下文类型以及上下文信息的数据格式和编码。
This extension MAY be marked critical.
此扩展可能被标记为关键。
Applications that find an authentication context information type they do not understand MUST ignore it if the extension is non-critical and MUST reject the certificate if the extension is marked critical. If an application requires that an authentication context exist, and either the extension is absent or none of the provided authentication contexts can be used, the end-user certificate fails validation.
如果应用程序发现了他们不理解的身份验证上下文信息类型,则必须忽略它(如果扩展是非关键的),如果扩展被标记为关键的,则必须拒绝证书。如果应用程序要求存在身份验证上下文,并且扩展不存在或者提供的身份验证上下文都不能使用,则最终用户证书验证失败。
This document defines one authentication context information type (Section 3) that is used to provide information about SAML-based authentication of the subject that was utilized in the certificate issuance process. Other documents can define other authentication context information types.
本文档定义了一种身份验证上下文信息类型(第3节),用于提供有关证书颁发过程中使用的基于SAML的主体身份验证的信息。其他文档可以定义其他身份验证上下文信息类型。
The SAML Authentication context information provides a contextType field that can be used to carry information about SAML-based authentication of the certified subject as utilized in the certificate issuance process.
SAML身份验证上下文信息提供了一个contextType字段,可用于携带关于证书颁发过程中使用的认证主体的基于SAML的身份验证的信息。
The data carried in this authentication context information field is identified by the following XML schema ([Schema1] [Schema2]) name space:
此身份验证上下文信息字段中包含的数据由以下XML架构([Schema1][Schema2])名称空间标识:
http://id.elegnamnden.se/auth-cont/1.0/saci
http://id.elegnamnden.se/auth-cont/1.0/saci
When this URI is specified as contextType, the associated XML data provided in contextInfo MUST be provided in the form of an XML document [XML], represented by a string of UTF-8-encoded characters.
当此URI指定为contextType时,contextInfo中提供的关联XML数据必须以XML文档[XML]的形式提供,由UTF-8编码字符字符串表示。
The XML document SHOULD exclude any unnecessary line breaks and white space, such as line indentation, to reduce its size as much as possible.
XML文档应排除任何不必要的换行符和空白,如行缩进,以尽可能减小其大小。
The data provided in contextInfo SHALL contain XML that is UTF-8 encoded in accordance with the XML schema provided in Appendix B. The XML document string in contextInfo MUST NOT include an XML header. That is, the XML document string contains only the root element <SAMLAuthContext> with its child elements <AuthContextInfo> and <IdAttributes>.
contextInfo中提供的数据应包含按照附录B中提供的XML模式进行UTF-8编码的XML。contextInfo中的XML文档字符串不得包含XML标题。也就是说,XML文档字符串只包含根元素<SAMLAuthContext>,以及子元素<AuthContextInfo>和<IdAttributes>。
The <AuthContextInfo> and <IdAttributes> elements are outlined in the following subsections.
以下小节概述了<AuthContextInfo>和<IdAttributes>元素。
The <AuthContextInfo> element MAY be present. This element contains the following attributes:
可能存在<AuthContextInfo>元素。此元素包含以下属性:
IdentityProvider (required): The SAML EntityID of the Identity Provider that authenticated the subject.
IdentityProvider(必需):对主体进行身份验证的身份提供程序的SAML EntityID。
AuthenticationInstant (required): Date and time when the subject was authenticated, expressed according to Appendix B.1.
AuthenticationInstant(必选):根据附录B.1对受试者进行认证的日期和时间。
AuthnContextClassRef (required): A URI identifying the AuthnContextClassRef that is provided in the AuthnStatement of the Assertion that was used to authenticate the subject. This URI identifies the context and the level of assurance associated with this instance of authentication.
AuthnContextClassRef(必需):标识AuthnContextClassRef的URI,该URI在用于验证主题的断言的AuthInstant中提供。此URI标识与此身份验证实例关联的上下文和保证级别。
AssertionRef (optional): A unique reference to the SAML assertion.
AssertionRef(可选):对SAML断言的唯一引用。
ServiceID (optional): An identifier of the service that verified the SAML assertion.
ServiceID(可选):验证SAML断言的服务的标识符。
The <AuthContextInfo> element may hold any number of child elements of type any (processContents="lax"), providing additional information according to local conventions. Any such elements SHOULD be ignored if not understood.
<AuthContextInfo>元素可以包含任意数量的any类型的子元素(processContents=“lax”),根据本地约定提供附加信息。如果不理解,则应忽略任何此类元素。
The <IdAttributes> element MAY be present. This element holds a sequence of one or more <AttributeMapping> elements, where each <AttributeMapping> element contains mapping information about one certificate subject attribute or name form present in the certificate.
可能存在<IdAttributes>元素。此元素包含一个或多个<AttributeMapping>元素的序列,其中每个<AttributeMapping>元素包含有关证书中存在的一个证书主题属性或名称表单的映射信息。
Each <AttributeMapping> element MUST specify the following attributes:
每个<AttributeMapping>元素必须指定以下属性:
Type: A string containing one of the enumerated values "rdn", "san", or "sda", specifying the type of certificate attribute or name form for which mapping information is provided:
类型:包含枚举值“rdn”、“san”或“sda”之一的字符串,指定为其提供映射信息的证书属性或名称形式的类型:
"rdn": Mapping information is provided for an attribute in a Relative Distinguished Name located in the subject field. "san": Mapping information is provided for a name in the Subject Alternative Name extension of the certificate. "sda": Mapping information is provided for an attribute in the Subject Directory Attributes extension.
“rdn”:为位于主题字段中的相对可分辨名称中的属性提供映射信息。“san”:为证书的Subject Alternative name extension中的名称提供映射信息。“sda”:为主题目录属性扩展中的属性提供映射信息。
Ref: A reference to the specific attribute or name field. This reference is dependent on the value of Type in the following way:
Ref:对特定属性或名称字段的引用。此引用以以下方式依赖于类型的值:
"rdn": Ref holds a string representation of the object identifier (OID) of the relative distinguished name attribute. "san": Ref holds a string representation of the explicit tag number of the Subject Alternative Name type (e.g., "1" = email address (rfc822Name) and "2" = dNSName). If the SubjectAlternative name is an otherName, then Ref holds a string representation of the OID defining the otherName form. "sda": Ref holds a string representation of the OID of the subject directory attribute attribute.
“rdn”:Ref保存相对可分辨名称属性的对象标识符(OID)的字符串表示形式。“san”:Ref保存主题替代名称类型(例如,“1”=电子邮件地址(rfc822Name)和“2”=dNSName)的显式标记号的字符串表示形式。如果SubjectAlternative名称是otherName,则Ref将保存定义otherName表单的OID的字符串表示形式。“sda”:Ref保存主题目录属性的OID的字符串表示形式。
String representations of object identifiers (OID) in the Ref attribute MUST be represented by a sequence of integers separated by a period, e.g., "2.5.4.32". This string contains only numerals (ASCII 0x30 to 0x39) and periods (ASCII 0x2E), and it MUST NOT contain any other characters.
Ref属性中对象标识符(OID)的字符串表示形式必须由一个由句点分隔的整数序列表示,例如“2.5.4.32”。此字符串仅包含数字(ASCII 0x30至0x39)和句点(ASCII 0x2E),且不得包含任何其他字符。
Each <AttributeMapping> element MUST contain a <saml:Attribute> element as defined in [SAML]. This SAML attribute element MUST have a Name attribute (specifying its type), MAY have other attributes, and MAY have zero or more <saml:AttributeValue> child elements. A present SAML attribute with absent attribute value limits mapping to the type of SAML attribute that was used to obtain the value stored in the referenced certificate subject attribute or name form, without duplicating the actual attribute value.
每个<AttributeMapping>元素必须包含[saml]中定义的<saml:Attribute>元素。此SAML属性元素必须具有名称属性(指定其类型),可以具有其他属性,并且可以具有零个或多个<SAML:AttributeValue>子元素。属性值缺失的当前SAML属性限制映射到SAML属性的类型,该类型用于获取存储在引用的证书主题属性或名称表单中的值,而不复制实际属性值。
If an attribute value is present in the SAML attribute, then the value stored in the certificate in the referenced attribute or name form MAY differ in format and encoding from the present SAML attribute value. For example, a SAML attribute value can specify a country expressed as "Sweden", while this country value is stored in the certificate in a countryName attribute using the two letter country code "SE".
如果SAML属性中存在属性值,则以引用属性或名称形式存储在证书中的值的格式和编码可能与当前SAML属性值不同。例如,SAML属性值可以指定表示为“瑞典”的国家,而该国家值使用两个字母的国家代码“SE”存储在countryName属性的证书中。
Several <AttributeMapping> elements MAY be present for the same certificate subject attribute or name form if the certificate contains multiple instances of this attribute or name form where their values were obtained from different SAML attributes. However, in such cases, it is not defined which present subject attribute or name form maps to which SAML attribute. A certificate-using application MAY attempt to determine this by comparing attribute values stored in this extension with attribute or name values present in the certificate, but this specification does not define any explicit matching rules that would guarantee an unambiguous result.
如果证书包含此属性或名称表单的多个实例,并且这些属性或名称表单的值是从不同的SAML属性获取的,则同一证书主题属性或名称表单可能存在多个<AttributeMapping>元素。但是,在这种情况下,没有定义哪个present subject属性或name表单映射到哪个SAML属性。使用证书的应用程序可能会尝试通过将此扩展中存储的属性值与证书中存在的属性值或名称值进行比较来确定这一点,但本规范未定义任何明确的匹配规则,以确保得到明确的结果。
The <AttributeMapping> element may hold any number of child elements of type any (processContents="lax"), providing additional information according to local conventions. Any such elements MAY be ignored if not understood.
<AttributeMapping>元素可以包含任意数量的any类型的子元素(processContents=“lax”),根据本地约定提供附加信息。如果不理解,则可以忽略任何此类元素。
Note: The <AttributeMapping> element is designed to provide mapping between SAML attributes and certificate subject attributes and name forms where there is a distinct and clear relationship between relevant SAML attributes and corresponding certificate attributes and name forms. This does not cover all aspects of complex mapping situations. If more than one SAML attribute maps to the same certificate attribute or if structured multivalued attributes are split into a range of other attributes and name forms, these situations are not covered.
注意:<AttributeMapping>元素旨在提供SAML属性和证书主题属性以及名称表单之间的映射,其中相关SAML属性和相应证书属性以及名称表单之间存在明确的关系。这并没有涵盖复杂映射情况的所有方面。如果多个SAML属性映射到同一证书属性,或者如果结构化多值属性被拆分为一系列其他属性和名称形式,则不包括这些情况。
Such complex mapping situations MAY be covered by extending this XML schema or by defining a more versatile context information schema.
这种复杂的映射情况可以通过扩展此XML模式或定义更通用的上下文信息模式来解决。
This extension allows a CA to outsource the process used to identify and authenticate a subject to another trust infrastructure in a dynamic manner that may differ from certificate to certificate. Since the authentication context is explicitly declared in the certificate, one certificate may be issued with a lower level of assurance than another, even though both have the same Issuer.
此扩展允许CA以动态方式将用于识别和验证主体的过程外包给另一个信任基础结构,这种方式可能因证书而异。由于认证上下文在证书中显式声明,因此一个证书的保证级别可能低于另一个证书,即使两者具有相同的颁发者。
This means that a relying party needs to be aware of the certificate policy under which this CA operates in order to understand when the certificate provides a level of assurance with regard to subject authentication that is higher than the lowest provided level. A relying party that is not capable of understanding the information in the authentication context extension MUST assume that the certificate is issued using the lowest allowed level of assurance declared by the policy.
这意味着依赖方需要了解该CA运行所依据的证书策略,以便了解证书何时提供高于最低提供级别的主体认证保证级别。无法理解身份验证上下文扩展中的信息的依赖方必须假定证书是使用策略声明的最低允许保证级别颁发的。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 Public Key Infrastructure: Qualified Certificates Profile", RFC 3739, DOI 10.17487/RFC3739, March 2004, <http://www.rfc-editor.org/info/rfc3739>.
[RFC3739]Santesson,S.,Nystrom,M.,和T.Polk,“互联网X.509公钥基础设施:合格证书档案”,RFC 3739,DOI 10.17487/RFC3739,2004年3月<http://www.rfc-editor.org/info/rfc3739>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<http://www.rfc-editor.org/info/rfc5280>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, DOI 10.17487/RFC5912, June 2010, <http://www.rfc-editor.org/info/rfc5912>.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,DOI 10.17487/RFC5912,2010年6月<http://www.rfc-editor.org/info/rfc5912>.
[SAML] Cantor, S., Kemp, J., Philpott, R., and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard, 15 March 2005.
[SAML]Cantor,S.,Kemp,J.,Philpott,R.,和E.Maler,“OASIS安全断言标记语言(SAML)V2.0的断言和协议”,OASIS标准,2005年3月15日。
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Edition)", W3C Recommendation, 26 November 2008, <https://www.w3.org/TR/2008/REC-xml-20081126/>.
[XML]Bray,T.,Paoli,J.,Sperberg McQueen,C.,Maler,E.,和F.Yergeau,“可扩展标记语言(XML)1.0(第五版)”,W3C建议,2008年11月26日<https://www.w3.org/TR/2008/REC-xml-20081126/>.
[Schema1] Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, "XML Schema Part 1: Structures", W3C Recommendation, 28 October 2004, <http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>.
[Schema1]Thompson,H.,Beech,D.,Maloney,M.,和N.Mendelsohn,“XML模式第1部分:结构”,W3C建议,2004年10月28日<http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>.
[Schema2] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes", W3C Recommendation, 28 October 2004, <http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.
[Schema2]Biron,P.和A.Malhotra,“XML模式第2部分:数据类型”,W3C建议,2004年10月28日<http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.
This appendix includes the ASN.1 modules for the authentication context extension. Appendix B.1 includes an ASN.1 module that conforms to the 1998 version of ASN.1. Appendix B.2 includes an ASN.1 module, corresponding to the module present in Appendix B.1, that conforms to the 2008 version of ASN.1. Although a 2008 ASN.1 module is provided, the module in Appendix B.1 remains the normative module as per policy adopted by the PKIX working group for certificate-related specifications.
本附录包括用于身份验证上下文扩展的ASN.1模块。附录B.1包括符合1998年版ASN.1的ASN.1模块。附录B.2包括一个ASN.1模块,与附录B.1中的模块相对应,符合2008年版ASN.1。尽管提供了2008 ASN.1模块,但根据PKIX工作组针对证书相关规范所采用的政策,附录B.1中的模块仍然是规范性模块。
ACE-88
{iso(1) member-body(2) se(752) e-legnamnden(201)
id-mod(0) id-mod-auth-context-88(1)}
ACE-88
{iso(1) member-body(2) se(752) e-legnamnden(201)
id-mod(0) id-mod-auth-context-88(1)}
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
-- Authentication Context Extension
--身份验证上下文扩展
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2)
se(752) 201 }
id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 }
id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 }
e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2)
se(752) 201 }
id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 }
id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 }
END
终止
ACE-08
{iso(1) member-body(2) se(752) e-legnamnden(201)
id-mod(0) id-mod-auth-context-08(2)}
ACE-08
{iso(1) member-body(2) se(752) e-legnamnden(201)
id-mod(0) id-mod-auth-context-08(2)}
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
Extensions{}, EXTENSION
FROM PKIX-CommonTypes-2009 -- From [RFC5912]
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)};
Extensions{}, EXTENSION
FROM PKIX-CommonTypes-2009 -- From [RFC5912]
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)};
-- Authentication Context Extension
--身份验证上下文扩展
ext-AuthenticationContext EXTENSION ::= { SYNTAX
AuthenticationContexts IDENTIFIED BY
id-ce-authContext }
ext-AuthenticationContext EXTENSION ::= { SYNTAX
AuthenticationContexts IDENTIFIED BY
id-ce-authContext }
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF
AuthenticationContext
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
AuthenticationContext ::= SEQUENCE {
contextType UTF8String,
contextInfo UTF8String OPTIONAL
}
ElegnamndenCertExtensions EXTENSION ::= {
ext-AuthenticationContext, ... }
ElegnamndenCertExtensions EXTENSION ::= {
ext-AuthenticationContext, ... }
e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2)
se(752) 201 }
id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 }
id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 }
e-legnamnden OBJECT IDENTIFIER ::= { iso(1) member-body(2)
se(752) 201 }
id-eleg-ce OBJECT IDENTIFIER ::= { e-legnamnden 5 }
id-ce-authContext OBJECT IDENTIFIER ::= { id-eleg-ce 1 }
END
终止
This appendix contains an XML schema ([Schema1] [Schema2]) for the SAML Authentication context information defined in Section 3.
本附录包含第3节中定义的SAML身份验证上下文信息的XML模式([Schema1][Schema2])。
IMPORTANT NOTE: The XML Schema in Appendix B.1 specifies a URL on rows 9 and 10 to the SAML schemaLocation (http://docs.oasis-open.org/security/saml/v2.0/ saml-schema-assertion-2.0.xsd), which is too long to fit into one row and therefore contains a line break. This line break has to be removed before this schema can be successfully compiled.
重要提示:附录B.1中的XML模式在第9行和第10行指定了SAML模式位置的URL(http://docs.oasis-open.org/security/saml/v2.0/ saml-schema-assertion-2.0.xsd),太长,无法放入一行,因此包含换行符。必须先删除此换行符,然后才能成功编译此架构。
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/
saml-schema-assertion-2.0.xsd"/>
<xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/
saml-schema-assertion-2.0.xsd"/>
<xs:element name="SAMLAuthContext"
type="saci:SAMLAuthContextType"/>
<xs:complexType name="SAMLAuthContextType">
<xs:sequence>
<xs:element ref="saci:AuthContextInfo" minOccurs="0"/>
<xs:element ref="saci:IdAttributes" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="AuthContextInfo"
type="saci:AuthContextInfoType"/>
<xs:complexType name="AuthContextInfoType">
<xs:sequence>
<xs:any processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="IdentityProvider"
type="xs:string" use="required"/>
<xs:attribute name="AuthenticationInstant"
type="xs:dateTime" use="required"/>
<xs:attribute name="AuthnContextClassRef"
type="xs:anyURI" use="required"/>
<xs:attribute name="AssertionRef" type="xs:string"/>
<xs:element name="SAMLAuthContext"
type="saci:SAMLAuthContextType"/>
<xs:complexType name="SAMLAuthContextType">
<xs:sequence>
<xs:element ref="saci:AuthContextInfo" minOccurs="0"/>
<xs:element ref="saci:IdAttributes" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="AuthContextInfo"
type="saci:AuthContextInfoType"/>
<xs:complexType name="AuthContextInfoType">
<xs:sequence>
<xs:any processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="IdentityProvider"
type="xs:string" use="required"/>
<xs:attribute name="AuthenticationInstant"
type="xs:dateTime" use="required"/>
<xs:attribute name="AuthnContextClassRef"
type="xs:anyURI" use="required"/>
<xs:attribute name="AssertionRef" type="xs:string"/>
<xs:attribute name="ServiceID" type="xs:string"/>
</xs:complexType>
<xs:attribute name="ServiceID" type="xs:string"/>
</xs:complexType>
<xs:element name="IdAttributes" type="saci:IdAttributesType"/>
<xs:complexType name="IdAttributesType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="saci:AttributeMapping"/>
</xs:sequence>
</xs:complexType>
<xs:element name="AttributeMapping"
type="saci:AttributeMappingType"/>
<xs:complexType name="AttributeMappingType">
<xs:sequence>
<xs:element ref="saml:Attribute"/>
<xs:any processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Type" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="rdn"/>
<xs:enumeration value="san"/>
<xs:enumeration value="sda"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="Ref" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
<xs:element name="IdAttributes" type="saci:IdAttributesType"/>
<xs:complexType name="IdAttributesType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="saci:AttributeMapping"/>
</xs:sequence>
</xs:complexType>
<xs:element name="AttributeMapping"
type="saci:AttributeMappingType"/>
<xs:complexType name="AttributeMappingType">
<xs:sequence>
<xs:element ref="saml:Attribute"/>
<xs:any processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Type" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="rdn"/>
<xs:enumeration value="san"/>
<xs:enumeration value="sda"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="Ref" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
This appendix provides examples of SAML Authentication Context information according to the schema in Appendix B.
本附录根据附录B中的模式提供SAML身份验证上下文信息的示例。
The following is a complete example with authentication context information as well as mapping information for several subject field attributes and a subject alt name.
下面是一个完整的示例,其中包含身份验证上下文信息以及多个subject字段属性和subject alt name的映射信息。
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saci:AuthContextInfo
ServiceID="eid2csig"
AssertionRef="_71b981ab017eb42869ae4b62b2a63add"
IdentityProvider="https://idp-test.nordu.net/idp/shibboleth"
AuthenticationInstant="2013-03-05T22:59:57.000+01:00"
AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.6">
<saml:Attribute
FriendlyName="Country"
Name="urn:oid:2.5.4.6">
<saml:AttributeValue xsi:type="xs:string"
>SE</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute
FriendlyName="Personal ID Number"
Name="urn:oid:1.2.752.29.4.13">
<saml:AttributeValue xsi:type="xs:string"
>200007292386</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.42">
<saml:Attribute
FriendlyName="Given Name"
Name="urn:oid:2.5.4.42">
<saml:AttributeValue xsi:type="xs:string"
>John</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.4">
<saml:Attribute
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saci:AuthContextInfo
ServiceID="eid2csig"
AssertionRef="_71b981ab017eb42869ae4b62b2a63add"
IdentityProvider="https://idp-test.nordu.net/idp/shibboleth"
AuthenticationInstant="2013-03-05T22:59:57.000+01:00"
AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.6">
<saml:Attribute
FriendlyName="Country"
Name="urn:oid:2.5.4.6">
<saml:AttributeValue xsi:type="xs:string"
>SE</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute
FriendlyName="Personal ID Number"
Name="urn:oid:1.2.752.29.4.13">
<saml:AttributeValue xsi:type="xs:string"
>200007292386</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.42">
<saml:Attribute
FriendlyName="Given Name"
Name="urn:oid:2.5.4.42">
<saml:AttributeValue xsi:type="xs:string"
>John</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.4">
<saml:Attribute
FriendlyName="Surname"
Name="urn:oid:2.5.4.4">
<saml:AttributeValue xsi:type="xs:string"
>Doe</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.3">
<saml:Attribute
FriendlyName="Display Name"
Name="urn:oid:2.16.840.1.113730.3.1.241">
<saml:AttributeValue xsi:type="xs:string"
>John Doe</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="san" Ref="1">
<saml:Attribute
FriendlyName="E-mail"
Name="urn:oid:0.9.2342.19200300.100.1.3">
<saml:AttributeValue xsi:type="xs:string"
>john.doe@example.com</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
FriendlyName="Surname"
Name="urn:oid:2.5.4.4">
<saml:AttributeValue xsi:type="xs:string"
>Doe</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.3">
<saml:Attribute
FriendlyName="Display Name"
Name="urn:oid:2.16.840.1.113730.3.1.241">
<saml:AttributeValue xsi:type="xs:string"
>John Doe</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
<saci:AttributeMapping Type="san" Ref="1">
<saml:Attribute
FriendlyName="E-mail"
Name="urn:oid:0.9.2342.19200300.100.1.3">
<saml:AttributeValue xsi:type="xs:string"
>john.doe@example.com</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
This example shows an instance of the SAML Authentication Context information that only provides a mapping table without providing any authentication context information or SAML attribute values.
此示例显示了SAML身份验证上下文信息的一个实例,该信息仅提供映射表,而不提供任何身份验证上下文信息或SAML属性值。
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.6">
<saml:Attribute Name="urn:oid:2.5.4.6"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute Name="urn:oid:1.2.752.29.4.13"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.42">
<saml:Attribute Name="urn:oid:2.5.4.42"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.4">
<saml:Attribute Name="urn:oid:2.5.4.4"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.3">
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.6">
<saml:Attribute Name="urn:oid:2.5.4.6"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute Name="urn:oid:1.2.752.29.4.13"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.42">
<saml:Attribute Name="urn:oid:2.5.4.42"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.4">
<saml:Attribute Name="urn:oid:2.5.4.4"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.3">
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="san" Ref="1">
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"/>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"/>
</saci:AttributeMapping>
<saci:AttributeMapping Type="san" Ref="1">
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"/>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
This example shows an instance of the SAML Authentication Context information; it provides authentication context information and mapping information that specifies the source of the data stored in the serialNumber attribute in the subject field.
此示例显示SAML身份验证上下文信息的一个实例;它提供身份验证上下文信息和映射信息,指定存储在主题字段的serialNumber属性中的数据源。
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saci:AuthContextInfo
ServiceID="eid2csig"
AssertionRef="_71b981ab017eb42869ae4b62b2a63add"
IdentityProvider="https://idp-test.nordu.net/idp/shibboleth"
AuthenticationInstant="2013-03-05T22:59:57.000+01:00"
AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute
FriendlyName="Personal ID Number"
Name="urn:oid:1.2.752.29.4.13">
<saml:AttributeValue xsi:type="xs:string"
>200007292386</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saci:AuthContextInfo
ServiceID="eid2csig"
AssertionRef="_71b981ab017eb42869ae4b62b2a63add"
IdentityProvider="https://idp-test.nordu.net/idp/shibboleth"
AuthenticationInstant="2013-03-05T22:59:57.000+01:00"
AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
<saci:IdAttributes>
<saci:AttributeMapping Type="rdn" Ref="2.5.4.5">
<saml:Attribute
FriendlyName="Personal ID Number"
Name="urn:oid:1.2.752.29.4.13">
<saml:AttributeValue xsi:type="xs:string"
>200007292386</saml:AttributeValue>
</saml:Attribute>
</saci:AttributeMapping>
</saci:IdAttributes>
</saci:SAMLAuthContext>
Author's Address
作者地址
Stefan Santesson 3xA Security AB Scheelev. 17 223 70 Lund Sweden Email: sts@aaa-sec.com
Stefan Santesson 3SA安全AB Scheelev。1722370Lund瑞典电子邮件:sts@aaa-证券交易委员会