NZ SAMS Constraints on the OASIS SAML v2.0 Authentication Context

[ Table of Contents ]
Specification Name:Authentication Context for OASIS SAML v2.0

SAML Specification Reference: Saml-authn-context-2.0-os

If a service provider is to rely on the authentication of the principal by an authentication authority, e.g. the GLS, then the identity provider MAY provide additional information about the assertion to access the level of confidence at which the assertion has been generated. Secondly the authentication context MAY be used to request the required method of authentication, that is the authentication method may specify two-factor authentication or stronger.

Authentication contexts MAY be ranked in order of strength and complexity. Where custom <AuthnContext> elements are used, they MUST be communicated out of band by the IdP to the service providers. This includes the ranking of the authentication contexts.

End of line 886

The following table, Table 11 sets out the authentication context requirements for NZ SAMS.

Table 11 – NZ SAMS constraints on OASIS SAML v2.0 authentication context

Authentication Context for SAML v2.0

Subsection 2.2 Extensibility

Line: 195-200

What is Excluded or Altered from the SAML v2.0:

Extensions to the defined authentication contexts MUST NOT occur. Custom schema snippets have the potential to allow non-standard implementations and prevent interoperability between partners.

Subsection 3. Authentication Context classes

Line: 1062 – 3834

<AuthenticationContextClassDecl> MUST NOT be used.

Line: 1133 – 1143

[ Previous | Contents | Next ]